[Opensim-dev] OAuth as authentication and authorisation (capability) specification

[diva at metaverseink.com]

Christian Scholz wrote:
> As for the web needing some more intelligent client, maybe that's right 
> but then again we have to deal with it as it's now ;-)

Yes, but that's not the case in Virtual Worlds :-)
Virtual Worlds have really big, fat clients, full of state and logic to 
their eyeballs. Carrying keys/credentials for verifiable identity is a 
tiny little thing to do, compared to all the other state they carry 
around. Let's not complicate things just because the emerging protocols 
for the Web 2.0 assume that clients are dumb. Our servers and clients 
are being developed as we speak, and we can make them be smart. The 
login process can be:

1. User enters ID (user at IDprovider) and destination world 
(ARegion at AGrid) in the client
2. Client logs in with the ID service -- not with the grid/region, 
because if you do that you immediately place the user at risk of being 
phished. Client gets masterKey directly from the IDprovider. Grid/region 
don't exist in this step, there are no redirects.
3. Client requests a key from IDProvider for launching an agent at 
ARegion at AGrid, and it launches that agent, along with the key
4. ARegion at AGrid calls back to IDProvider verifying that the given key 
is valid for that user.

Repeat for all other services.

Later, users wants to Teleport to Foo at FooGrid.
5. Client requests a key from IDProvider for launching an agent at 
Foo at FooGrid, and it launches that agent, along with the key
6. Foo at FooGrid calls back to IDProvider verifying that the given key is 
valid for that user.

etc.

This is what Grider does.
A Web client could do that too, if the Web didn't insist on having its 
browsers thin and blond :-)
So if there's a place in those new Web 2.0 protocols for smart, slightly 
chubbier brunette clients that'd be great! -- then Tommil can have his 
wish of login with his google account [safely].

Crista / Diva