[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Christian Scholz cs at comlounge.net
Sat Apr 25 21:30:56 UTC 2009 

Diva Canto schrieb:
> Christian Scholz wrote:
>> We have been talking about it quite a bit in early 2008 in the 
>> DataPortability Group. There was also some discussion about that concept 
>> in the DiSo group.
>>
>> [...]
> 
> Cool.
> 
>>> Point 4 is also pretty much covered, with code already in place in 
>>> OpenSim, used by Grider. The client requests these tokens from the 
>>> User Server (ID server, whatever you want to call it), sends them to 
>>> each server it wants to use, including regions, the servers in turn 
>>> verify them with the User Server.
>> But I assume that this won't work with services outside the OpenSim 
>> realm? (e.g. MySpace)
> 
> I haven't been thinking of those uses, but I don't see any reason why it 
> shouldn't work in exactly the same way. You need: (a) an ID server; (b) 
> a client for the user; (c) a bunch of services that the user uses.
> Upon login, a master key is given to the client. That master key is then 
> used by the client to request tokens from the ID server for each service 
> that the user wants to use. Those tokens are sent along the first time 
> the client accesses the services, and the services verify the tokens 
> with the given authority in them.

I think that's basically the idea behind many of the proposals. You have 
some relationship manager which holds has associations to all the 
services you use. You then only authorize that relationship manager to 
give out tokens to some third party on your behalf. This then can be 
automatic or you might choose to being asked each time you teleport.
I yet have to understand the details of ProtectServe but it seems to be 
something along those lines based on OAuth. Additionally I think they 
also handle contacts between those services so that you can define in 
detail which service has access to what data. But I am not sure on this 
point right now.

> If you want to see how this key request/verification process currently 
> works in OpenSim, take a look at 
> OpenSim/Framework/Communications/UserManagerBase -- at the very end of 
> that file.

Will do (but tomorrow, getting late here).

> Those keys are sent along authenticated requests, like for example
> OpenSim/Framework/Communications/Services/HGInventoryService
> This particular service then establishes a bunch of CAP URLS for secure 
> access to inventory.
> 
> Service discovery is another matter, I think. For starters, we can 
> assume that the user explicitly specifies the URLs of the services it 
> uses -- so that service catalogue you mentioned -- in his/her ID server.

What exactly is the ID server? And if you have some sort of server then 
I guess it would be easy to write some web frontend to create some XRDS 
or XRD file, after all it's rather simple XML. (Some OpenID or XRI 
providers even let you edit your XRDS file already).

>> The reason I like OpenID and OAuth is that it will allow in the future 
>> to manage a limited set of identities properly. There is no need to 
>> create yet another account with profiles etc. on each service. This is 
>> also very much where the discussions in the social networking space are 
>> heading right now and it would be great if I can reuse the same things 
>> in OpenSim, too.
> 
> You don't need OpenID redirects to do this. You login directly with your 
> ID service.

Well, that means though that I am bound to that service and probably 
need yet another login/password to remember.

But I think in general the best would be a flexible authentication 
architecture where the user can choose between different mechanisms, be 
it OpenID, simple username/password, an InformationCard/CardSpace 
approach or the SSL solution. What the user support could also be stored 
in the XRD file and what the service supports could be stored in the 
service's XRD file (as you can of course use the same concept for 
checking on the services a region provides, much like GridInfo).

-- Christian


> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev


-- 
COM.lounge GmbH
http://comlounge.net
Hanbrucher Strasse 33, 52064 Aachen
Amtsgericht Aachen HRB 15170
Geschäftsführer: Dr. Ben Scheffler, Christian Scholz

email: info at comlounge.net
fon: +49-241-4007300
fax: +49-241-97900850

personal email: cs at comlounge.net
personal blog: http://mrtopf.de/blog
personal podcasts: http://openweb-podcast.de, http://datawithoutborders.net

More information about the Opensim-dev mailing list