[Opensim-dev] Authentication and oAuth

Hello Everyone who is interested in authentication should check this out: http://oauth.net/core/1.0/ Looks well established standard which does OpenId+Tokens and is getting adopted in web industry. What do you think? regards, Tommi ___ Opensim-dev mai

Re: [Opensim-dev] Authentication and oAuth

It looks like OpenId Authentication 2.0 has similar functionality: http://openid.net/specs/openid-authentication-2_0.html regards, Tommi On Sun, Mar 1, 2009 at 4:42 PM, Tommi Laukkanen < tommi.s.e.laukka...@gmail.com> wrote: > Hello > > Everyone who is interested in authentication should check

Re: [Opensim-dev] Authentication and oAuth

: opensim-dev@lists.berlios.de Betreff: [Opensim-dev] Authentication and oAuth Hello Everyone who is interested in authentication should check this out: http://oauth.net/core/1.0/ Looks well established standard which does OpenId+Tokens and is getting adopted in web industry. What do you think

Re: [Opensim-dev] Authentication and oAuth

Tommil, Thanks for the pointers about OAuth. I think this is really important. We need to figure out what security scheme works best for open Virtual Worlds. I don't necessarily think that we need to tie OpenSim to one specific scheme, but we really need to figure out what the user experience

Re: [Opensim-dev] Authentication and oAuth

Hi Diva Thanks for the analysis. I have to admit I have only fastly scanned the oAuth spec. They advertise that it works for desktop applications so I assume it should not necessarily be too complex for the end user and not too hard to implement either. Someone would need to study / poc it or get

Re: [Opensim-dev] Authentication and oAuth

Just to keep the record straight, the Capabilities concept is about 50 years old. It was devised at about the same time as ACLs. For a number of reasons, ACLs have dominated the field. See here for a nice historical perspective: http://www.nabble.com/On-the-Spread-of-the-Capability-Approach-to5

Re: [Opensim-dev] Authentication and oAuth

Thanks :) I stand corrected On Sun, Mar 1, 2009 at 8:27 PM, Diva Canto wrote: > Just to keep the record straight, the Capabilities concept is about 50 > years old. It was devised at about the same time as ACLs. For a number of > reasons, ACLs have dominated the field. See here for a nice histori

Re: [Opensim-dev] Authentication and oAuth

There's also a very nice paper about it here. http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf Tommi Laukkanen wrote: Thanks :) I stand corrected On Sun, Mar 1, 2009 at 8:27 PM, Diva Canto > wrote: Just to keep the record straight, the Capabilities concept is ab

Re: [Opensim-dev] Authentication and oAuth

Hello After reading a bit of that article and wikipedia about capabilities based security it looks to me that the capability model requires quite severe assumptions about environment they are used in. If I understand the system correctly the capability framework has to be in control of the client

Re: [Opensim-dev] Authentication and oAuth

I strongly recommend reading that paper I sent the reference to. The cool thing about CAPs on the web (and the reason why I'm excited about it, after knowing _of_ CAPs for 20 years and never really getting them) is that CAPs are URLs that can come and go dynamically. Most of the CAPs literatur

Re: [Opensim-dev] Authentication and oAuth

As for documentation about CAPs in the Linden world... :-) there is none, zip, nada. Even that simple question that Dirk asked on the sldev list about inventory CAPs has been unanswered for 3 days. This has been a guessing game, first by whoever did that part and then by me as I started lookin

Re: [Opensim-dev] Authentication and oAuth

Canto Subject: Re: [Opensim-dev] Authentication and oAuth To: opensim-dev@lists.berlios.de Message-ID: <49aad382.9090...@metaverseink.com> Content-Type: text/plain; charset="iso-8859-1" Just to keep the record straight, the Capabilities concept is about 50 years old. It was devi

Re: [Opensim-dev] Authentication and oAuth

I just realized that this discussion about authentication/authorization/security/ etc is actually happening at two levels. It's important to unpack that. On one level we have integration with the Web. For example, we want users of OpenSim worlds to be able to use their identities in Web 2.0 si

Re: [Opensim-dev] Authentication and oAuth

Good morning Here are some engineering concerns I see with CAPS URLs: 1) If client is given CAPS URL to access something we need to have access list / ownership and user role information in the database to deduce if the user has the right for capabilities he/she is requesting for. CAPS URLs do no

Re: [Opensim-dev] Authentication and oAuth

Tommi, Thanks for your analysis. I don't intend to start a war between Capabilitites and ACLs here -- that war has been going on for about 50 years among people who know a lot more about these things than we do :-) I do, however, know quite a bit about capabilities in the context of OpenSim, s

Re: [Opensim-dev] Authentication and oAuth

Hello again This kind of argumentation really helps us to weed problems before we implement them. I think that if people have been on war over this issue for years then either both or other party has not been entirely logical. After all in engineering issues it should be possible to deduce how th

Re: [Opensim-dev] Authentication and oAuth

Forgot to clarify this point. Tommi Laukkanen wrote: > As conclusion CAPS URLs we talk here seem to be a kind of caching > mechanism where we do authentication and authorisation on client login > and store the authorisation information to CAPS URLs which client can > access directly and we do n

Re: [Opensim-dev] Authentication and oAuth

Tommi Laukkanen wrote: > Do you mean that the caps url is processed when client invokes it to > deduce what is encoded in the url to get capability out of it or do > you mean that the CAPS URLs are temporary and have short life time > like that of a client session? With the current CAPs for the