[Opensim-dev] OAuth as authentication and authorisation (capability) specification

Christian Scholz cs at comlounge.net
Thu Apr 30 07:12:04 UTC 2009 

Good morning!

diva at metaverseink.com schrieb:
> Christian Scholz wrote:
>> As for the web needing some more intelligent client, maybe that's right 
>> but then again we have to deal with it as it's now ;-)
> 
> Yes, but that's not the case in Virtual Worlds :-)

Sure, but I think we differ a bit on our goals ;-) You want the best 
solution for OpenSim related worlds, I want the best solution for 
getting web and virtual worlds together (which includes some solution 
for social networks per se as well). So that's why I am mostly proposing 
standards already being used on the web.

I think it also would benefit OpenSim if I can reuse accounts and data I 
have stored elsewhere and e.g. would be able to login to OpenSim via 
Facebook and have all my friends instantly available there as well.

OpenSim even has an advantage over social networks in this case because 
distributed authorization and many other things are more naturally 
needed here than on the web (although that's changing as people store 
more and more data on more and more services and thus have more and more 
accounts to remember). It's basically more straightforward to connect 
certain regions than to connect various social networks because the 
latter only makes sense in the big picture while connecting regions 
might already be useful for a few people who want to come together.
So OpenSim/Second Life could be pioneering this field (and many data 
resources are also similar, like profiles, IM, groups, friends list, assets)

> Virtual Worlds have really big, fat clients, full of state and logic to 
> their eyeballs. Carrying keys/credentials for verifiable identity is a 
> tiny little thing to do, compared to all the other state they carry 
> around. Let's not complicate things just because the emerging protocols 
> for the Web 2.0 assume that clients are dumb. Our servers and clients 
> are being developed as we speak, and we can make them be smart. The 
> login process can be:
> 
> 1. User enters ID (user at IDprovider) and destination world 
> (ARegion at AGrid) in the client
> 2. Client logs in with the ID service -- not with the grid/region, 
> because if you do that you immediately place the user at risk of being 
> phished. Client gets masterKey directly from the IDprovider. Grid/region 
> don't exist in this step, there are no redirects.
> 3. Client requests a key from IDProvider for launching an agent at 
> ARegion at AGrid, and it launches that agent, along with the key
> 4. ARegion at AGrid calls back to IDProvider verifying that the given key 
> is valid for that user.

Sounds good. Any plans on using OAuth for doing those requests? At least 
for signing them with those keys not for retrieving the access token?
It basically would mean that the client is more involved in key transfer 
then usually on the web but the basic principle would be the same and 
then standardized.

(I assume you have thought on possible attack scenarios for that process)

> 
> Repeat for all other services.
> 
> Later, users wants to Teleport to Foo at FooGrid.
> 5. Client requests a key from IDProvider for launching an agent at 
> Foo at FooGrid, and it launches that agent, along with the key
> 6. Foo at FooGrid calls back to IDProvider verifying that the given key is 
> valid for that user.
> 
> etc.
> 
> This is what Grider does.
> A Web client could do that too, if the Web didn't insist on having its 
> browsers thin and blond :-)
> So if there's a place in those new Web 2.0 protocols for smart, slightly 
> chubbier brunette clients that'd be great! -- then Tommil can have his 
> wish of login with his google account [safely].

I still cannot really see how you can do that. Where do I enter my OpenID?

As for the web, surely browsers could be smarter but then they also 
would be harder to implement and you'd first to have to agree on a 
standard to do such things on the whole web. Esp. the latter seems very 
difficulty. It's also more flexible that way. Now OpenID providers can 
use various ways to authenticate a user. If clients only provide 
username/password auth then that would eventually be limiting. Right now 
web browsers act maybe more like an operating system. You write your app 
and run it there and it has certain possibilities with the downside of 
course that you have a dumber client (although one could maybe implement 
a plugin but getting mass adoption of that is hard and any download a 
user needs to do will most likely not be made which raises the barrier 
of entry).


-- Christian



> 
> Crista / Diva
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev


-- 
COM.lounge GmbH
http://comlounge.net
Hanbrucher Strasse 33, 52064 Aachen
Amtsgericht Aachen HRB 15170
Geschäftsführer: Dr. Ben Scheffler, Christian Scholz

email: info at comlounge.net
fon: +49-241-4007300
fax: +49-241-97900850

personal email: cs at comlounge.net
personal blog: http://mrtopf.de/blog
personal podcasts: http://openweb-podcast.de, http://datawithoutborders.net

More information about the Opensim-dev mailing list