[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Melvin Carvalho melvincarvalho at gmail.com
Mon Apr 27 21:27:03 UTC 2009 

On Sat, Apr 25, 2009 at 10:47 PM, Diva Canto <diva at metaverseink.com> wrote:
> That sounds reasonable. I should find out more about what the Web 2.0
> crowd is thinking for the "service catalogue", haven't heard that before
> coming from them. Because that's exactly where I have been taking OpenSim :)
>
> Point 4 is also pretty much covered, with code already in place in
> OpenSim, used by Grider. The client requests these tokens from the User
> Server (ID server, whatever you want to call it), sends them to each
> server it wants to use, including regions, the servers in turn verify
> them with the User Server.
>
> So far, I haven't felt the need for OpenID whatsoever. Login can be
> performed directly with the User Server, it doesn't need to be
> redirected from anywhere. (I have a problem with those redirections,
> they are utterly unsafe; if they can be avoided, they should. And I
> think they can.)

It's a good idea to have some kind of decentral system, whether it be
openid or ssl.

These diagrams may give you a flavour of the interactions you'd use in
each case:

http://esw.w3.org/topic/PushBackDataToLegacySourcesAuthentication

Both are great solutions, imho, openid/oauth slightly more mature, ssl
slightly fewer interactions/redirections, you'll have to decide what
suits best.

>
>
> Christian Scholz wrote:
>> Diva Canto schrieb:
>>> Let's focus on the goal, before discussing techniques: "I would like
>>> to use my google identity in OpenSim as soon as possible :)"
>>>
>>> Once you've been ID'ed, where would your user services be?
>>
>> For instance by using a service catalogue which is bound to your OpenID
>> and lists where
>>
>> - your profile is (could be implemented using PortableContacts/OpenSocial)
>> - your inventory is (maybe multiple of them)
>> - your preferred IM service is (could be Jabber or IRC or something else)
>> - your contacts are stored (again could be OpenSocial)
>>
>> and so on.
>>
>> This could all be put into an XRDS file which is used by OpenID in the
>> discovery step already.
>>
>> So a workflow might roughly look like this:
>>
>> 1. A user enters two things: An OpenID and the region URL to connect to
>> 2. The client performs an OpenID authentication and retrieves the
>> Service Catalogue associated with it.
>> 3. The client connects to the region and passes the Service Catalogue
>> over (after all the region needs profile data and so on)
>> 4. The client retrieves access tokens for those services which it has
>> been allowed to pass to regions it connects to.
>> 5. The client send the necessary access tokens to the region
>> 6. The region retrieves the necessary information (e.g. profile data and
>> avatar info) and connects the client to the simulation
>>
>> The big question is 4. and how this is being handled. But as said in an
>> earlier reply, this is exactly what many people are thinking about right
>> now.
>>
>> Another question might also be what the client's responsibility is and
>> what the region's. Of course it could all also be routed through the
>> client but in general I would assume that simulation related things are
>> faster if handled by the region. At least it needs to be allowed to
>> cache those as long as the user is active.
>>
>> But that's more loud thinking here. I might come back with some proposal
>> which has got some more thinking :-)
>>
>> -- Christian
>>
>>
>>
>>>
>>>
>>> Tommi Laukkanen wrote:
>>>> Hello
>>>>
>>>> OAuth seems to provide OpenSimulator server side authentication and
>>>> authorisation needs. If you are interested in this area please read
>>>> this page and especially the "What is it for"-chapter:
>>>>
>>>> http://oauth.net/about/
>>>>
>>>> "Is OAuth a New Concept?"-chapter is a good read as well.
>>>>
>>>> Essentially it looks like a way to pass capabilities to servers. For
>>>> example you might give opensim region limited access to your
>>>> inventory.
>>>>
>>>> More details can be found from their community wiki:
>>>>
>>>> http://wiki.oauth.net/
>>>>
>>>> Does anyone know other specifications for service level authentication
>>>> and authorisation (as opposed to browser and user level authentication
>>>> like OpenID and SAML)?
>>>>
>>>> As you can see from the wiki front page for example google offers
>>>> standard oauth api. I would like to use my google identity in OpenSim
>>>> as soon as possible :). Someone might want to use AOL, Flickr, Amazon,
>>>> yahoo or facebook which are already supported. The big difference is
>>>> here that you need not pass your secrect password to opensim server or
>>>> go to openid login page at the provider. Idealistviewer could handle
>>>> authentication with google and pass the capability tokens to region
>>>> when connecting to it.
>>>>
>>>> If you want to help Metaverse be realised in shortest possible time
>>>> please study OAuth and alternative approaches if such exist. I believe
>>>> this area needs some OpenSim community focus to get it properly sorted
>>>> for next technology leap. I hear a new version of CableBeach is coming
>>>> out and it would be great to have standards compliant solution in
>>>> capabilities area. By standards compliant I mean a solution which can
>>>> hook to major identity provider players as of now. The claim of this
>>>> post is that it is already possible with OAuth specification which has
>>>> been written by experts of the area.
>>>>
>>>> If all those major players are supporting OAuth I think it is a strong
>>>> signal that the technology is good and mature. My understanding is
>>>> that it is very well compliant with OpenSim needs as well.
>>>>
>>>> -tommi
>>>> _______________________________________________
>>>> Opensim-dev mailing list
>>>> Opensim-dev at lists.berlios.de
>>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>>>
>>> _______________________________________________
>>> Opensim-dev mailing list
>>> Opensim-dev at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>

More information about the Opensim-dev mailing list