[Opensim-dev] Authentication and oAuth

Diva Canto diva at metaverseink.com
Mon Mar 2 17:55:32 UTC 2009 

Forgot to clarify this point.

Tommi Laukkanen wrote:
> As conclusion CAPS URLs we talk here seem to be a kind of caching 
> mechanism where we do authentication and authorisation on client login 
> and store the authorisation information to CAPS URLs which client can 
> access directly and we do not need to authenticate&authorize anymore. 
CAPs URLs are generated everytime the client moves into a new region. 
Look at Scene.AddNewUser, which is run everytime an agent comes on the 
way of the region, and then CloseConnection, which is run everytime the 
client goes away.

You are right in implying that right now, we use CAPs only because the 
Linden viewer forces us to. Yes, that is correct. And we use them in a 
completely security-defying manner, even for the Linden client that we 
are already supporting -- as I described a few emails ago.

> As such CAPS URL is not a competitor to either OpenId nor oAuth. 
> OpenId is authentication mechanism and oAuth is authorization 
> mechanism for consuming services from remote interfaces. 
They are competitors for the security scheme that doesn't exist yet 
concerning the authentication & authorization between user agents and 
regions. Right now, that is totally unprotected, security doesn't exist, 
the process relies on mutual trust - that's what I'm going to change, 
because it needs to be made safe for decentralized VWs like the Hypergrid.

A bit of OpenSim history here. Sometime ago, someone tried to add an 
authorization step into inventory access, checking the session id (again 
this would have been extremely weak security, but it would have been 
better than nothing; at least it would secure the inventory server from 
web clients and from regions after the client had logged out). The 
authorization step, however, involved an extra call to the User server 
to verify the session id. Some people found that the performance penalty 
was way too high to be worth the trouble, so the effort was abandoned. 
(Right now, the inventory access code is a big mess, impossible to explain.)

Any authentication & authorization mechanism that avoids separating 
these two things into separate messages is a major plus.

Crista

More information about the Opensim-dev mailing list