[sldev] [AWG] OGP Authentication Draft 3

Meadhbh Hamrick (Infinity) infinity at lindenlab.com
Tue Jan 13 10:06:00 PST 2009


but seriously. OAuth is a step in the right direction, but...

a. it depends on HTTP. we think linking application level objects  
(like application object access control metadata) with a specific  
transport is a bad idea.
b. as far as i can tell, it doesn't have a resource for managing  
distributed access-control tokens. there seems to be an assumption  
that all access control will be managed by the same administrative  
party. that being said... there appears to be nothing in the spec to  
PREVENT you from adding this feature, and I've pinged the OAuth peeps  
from time to time about it, so who knows.
c. OAuth is for securely transporting object access control metadata,  
OGP Authentication is for authenticating an end user to a service  
cloud. OGP Auth is actually a little closer to OpenID than to OAuth.  
But i think you're asking... why not return an OAuth compliant PDU as  
a result of successful OGP Authentication. hmm... no reason it can't  
be done from a protocol perspective, but we would have to get with the  
OAuth people and get them to fix problems a and b above before we  
would likely deploy something like that.

-cheers
-meadhbh

On Jan 13, 2009, at 5:00 AM, Escort DeFarge wrote:

> Having read...
> http://secondlifegrid.net.s3.amazonaws.com/docs/specs/OGP-Authentication_Draft_3.html
>
> I'm not really understanding the advantage this has over...
> http://oauth.net/core/1.0/
>
> ...particularly since capabilities are being introduced with OGP?
>
> /esc
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/SLDev
> Please read the policies before posting to keep unmoderated posting  
> privileges



More information about the SLDev mailing list