[Opensim-dev] Authentication and oAuth
Tommi Laukkanen
tommi.s.e.laukkanen at gmail.com
Mon Mar 2 17:53:54 UTC 2009
Hello again
This kind of argumentation really helps us to weed problems before we
implement them.
I think that if people have been on war over this issue for years then
either both or other party has not been entirely logical. After all in
engineering issues it should be possible to deduce how things are and arrive
to a conclusion which both parties agree is right and proper. This does not
apply to religional disputes like claiming earth is the center of universe.
I would not take advice from religious people on engineering.
> 2) Server has to store the CAPS URL information to memory or database
> > which is extra overhead.
> Incorrect. Capability URLs can and are generated on the fly. Look, for
> example, at Caps.cs that handles about 1/2 of the Caps we pass to the
> client (the other half is spread in several modules that subscribe to
> OnRegisterCaps). They are also detracted on the fly. We already do this
> dynamic management for the CAPs we pass to the client. That is exactly
> the thing that I like the most. It's not just that the authorization is
> generated on the fly; the service handle itself is dynamic. So the
> service is only there during the appropriate context.
Do you mean that the caps url is processed when client invokes it to deduce
what is encoded in the url to get capability out of it or do you mean that
the CAPS URLs are temporary and have short life time like that of a client
session?
> It looks to me that oAuth might be used to authentication as well so
> it could replace OpenId entirely.
>
> I don't think so. The spec for OAuth clearly says that it doesn't
> concern the authentication steps, which can be done in a number of ways.
> They do suggest, however, that OpenID+OAuth is a good combination.
>
Their statement could be political as well. When I was reading their
detailed specification there were user authentication phase as well where
there were user token and secret passed which could be user name and
passwords. Of course these can be also OpenId generated tokens but it looked
a bit like the actual OpenId tokens proposal never got to the specification.
The oAuth specification needs closer study or we need an oAuth expert to go
deeper. (Or we need to spend some time reading the spec ourselves (Fear))
regards,
Tommi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20090302/cbd271bd/attachment-0001.html>
More information about the Opensim-dev
mailing list