[Opensim-dev] OAuth as authentication and authorisation (capability) specification
Melvin Carvalho
melvincarvalho at gmail.com
Tue Apr 28 22:40:15 UTC 2009
On Wed, Apr 29, 2009 at 12:12 AM, <diva at metaverseink.com> wrote:
> Christian Scholz wrote:
>> As for the web needing some more intelligent client, maybe that's right
>> but then again we have to deal with it as it's now ;-)
>
> Yes, but that's not the case in Virtual Worlds :-)
> Virtual Worlds have really big, fat clients, full of state and logic to
> their eyeballs. Carrying keys/credentials for verifiable identity is a
> tiny little thing to do, compared to all the other state they carry
> around. Let's not complicate things just because the emerging protocols
> for the Web 2.0 assume that clients are dumb. Our servers and clients
> are being developed as we speak, and we can make them be smart. The
> login process can be:
>
> 1. User enters ID (user at IDprovider) and destination world
> (ARegion at AGrid) in the client
> 2. Client logs in with the ID service -- not with the grid/region,
> because if you do that you immediately place the user at risk of being
> phished. Client gets masterKey directly from the IDprovider. Grid/region
> don't exist in this step, there are no redirects.
> 3. Client requests a key from IDProvider for launching an agent at
> ARegion at AGrid, and it launches that agent, along with the key
> 4. ARegion at AGrid calls back to IDProvider verifying that the given key
> is valid for that user.
>
> Repeat for all other services.
>
> Later, users wants to Teleport to Foo at FooGrid.
> 5. Client requests a key from IDProvider for launching an agent at
> Foo at FooGrid, and it launches that agent, along with the key
> 6. Foo at FooGrid calls back to IDProvider verifying that the given key is
> valid for that user.
Looks good, but I would advise against using @ symbol as it normally
means email address, and email addresses are not generally
dereferencable without hacks (google have this issue currently),
sticking to a URL as an identifier will give you lots more
flexibility, and also give you other tactical ability like finding out
profile information, should you so desire.
>
> etc.
>
> This is what Grider does.
> A Web client could do that too, if the Web didn't insist on having its
> browsers thin and blond :-)
> So if there's a place in those new Web 2.0 protocols for smart, slightly
> chubbier brunette clients that'd be great! -- then Tommil can have his
> wish of login with his google account [safely].
>
> Crista / Diva
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
More information about the Opensim-dev
mailing list