[Opensim-dev] Authentication and oAuth

Diva Canto diva at metaverseink.com
Mon Mar 2 19:44:56 UTC 2009 

Tommi Laukkanen wrote:
> Do  you mean that the caps url is processed when client invokes it to 
> deduce what is encoded in the url to get capability out of it or do 
> you mean that the CAPS URLs are temporary and have short life time 
> like that of a client session?
With the current CAPs for the client, both of your statements are true. 
We first send a "seed cap" to the client regarding the region where it 
is moving to, which is dynamically generated; then the client comes back 
to that seed URL to ask for more CAPs that are also dynamically 
generated. All of these CAPs exist only while the client has a presence 
in the region.

The set of CAPs sent by the region to the client varies, even now. For 
example, if you have Voice enabled, the region will send the 
Voice-related CAPs; if it's disabled, those CAPs aren't sent.

So, we're already using CAPs in OpenSim to some degree of 
sophistication, although, by looking at the CAPs-related code, they have 
been handled as annoyances that the Linden client forces us to deal with 
:-) The way we use them is mute for security purposes, we're just trying 
to prevent the client from crashing on us.

> Their statement could be political as well. When I was reading their 
> detailed specification there were user authentication phase as well 
> where there were user token and secret passed which could be user name 
> and passwords. Of course these can be also OpenId generated tokens but 
> it looked a bit like the actual OpenId tokens proposal never got to 
> the specification. The oAuth specification needs closer study or we 
> need an oAuth expert to go deeper. (Or we need to spend some time 
> reading the spec ourselves (Fear))
The major technical question mark I have about OAuth is the point about 
separate authentication. When I read the spec, it seemed pretty clear to 
me that OAuth requires separate authentication -- they have that written 
very clearly in that document. If you can show me that's not the case, I 
will listen. (and if, indeed, it's not the case, I will then proceed to 
argue that OAuth is a capability model :-)

Crista

More information about the Opensim-dev mailing list