[sldev] [Auth] [OpenID] OpenID as SL Authentication Solution

[Kamilion]

I've been doing some surfing on OpenID, and found out a lot about it.

The first two links I have to share:
http://video.google.com/videoplay?docid=-7463164786703060643
How to Use OpenID

http://video.google.com/videoplay?docid=-3812012811402026027
The Future of OpenID


These are both videos by Simon Willison.
The first is ~5 minutes, the second is ~35 minutes.
They give a good overview of OpenID as a system.

What I've learned from all this stuff:

OpenID is an open authentication solution:
You go to a site that supports OpenID.
You type in your OpenID Authentication URL.
(Mine is http://Kamilion.myopenid.com )
It redirects you to your provider's page, in this case, myopenid.com.
You log in there, somehow.
MyOpenID asks you which "persona" you want to share with a site.
I have two, one with my SL name as my realname, and another with my
real realname and birthdate and email and timezone and postal code.
I select my Default persona. (Kamilion Schnook)
OpenID then redirects you back to the site you were originally at.

Now, the real neat thing about OpenID is that authentication is
completely handed off to the provider, which allows the user to choose
their authentication scheme.

For instance, Simon Willison runs idproxy.net, which allows you to use
a Yahoo! account as an OpenID. Yahoo does not support OpenID directly,
but they do have their own Authentication API, which idproxy uses to
translate into OpenID.

It's likely Google won't be far behind. But even if Google doesn't
bother with OpenID, Their Authentication API is accessible as well, so
it wouldn't surprise me to see a googleidproxy spring up.

AOL already supports OpenID, using http://openid.aol.com/screename
Livejournal also supports OpenID, using http://username.livejournal.com

MyOpenID is the provider I'm currently using, which I found by
watching the videos linked above.

They allow authentication in multiple ways:
Username/Password
SSL Client Certificates

And any OpenID provider can code any authentication system they wish,
even going so far as to use the RSA tokens Paypal and Entropia Online
use.

That's all on the provider side. The site requesting the data has no
access to any of that, it just gets a true or false that the person is
authenticated or not, and then requests any data it wants to know from
the OpenID profile that you've selected to share with the site.

The first OpenID supporting site I took a look at was Jyte.com.

Jyte allows people to state Claims.
For instance, I might Claim that Kamilion Schnook is the owner of Sllabs.com.

People can then look up sllabs.com and see that Kamilion Schnook is
the owner of it. Then they would either Agree, or Disagree.
It also allows groups.
Groups can also make claims.

But it's also another powerful OpenID feature: Whitelist transfers.

Say you're Bob.livejournal.com.
On livejournal, you have three friends, Carol, Ann, and Todd.
By adding them to your whitelise, when you go to digg.com, OpenID
knows that carol.livejournal.com and todd.livejournal.com have been
there, and can automatically add them to your Digg friends list, and
spread that trust network. Almost like a more secure version of Seven
degrees of Kevin Bacon.

I've created a public group on Jyte, called Second Life. It's free to
join for anyone with an OpenID, from anywhere.

Now, using the OpenID API, I can ask jyte things on my site's behalf.

For instance, let's say I wanted a list of every member in that group:
http://jyte.com/api/group/second_life/roster
will return a newline separated list of members.

Okay, now I have a list of members.
That's cool, but what can you do with stuff like this?

I'm writing a ruby on rails application now. It will support OpenID,
because rails makes it easy! But it will also support things like Jyte
groups.

So I can do neat things now.

http://jyte.com/api/group/second_life/is_member?openid=URLENCODE(kamilion.myopenid.com)
returns text 'true' or 'false'.

I can have rails ask jyte if "kamilion.myopenid.com" is part of the
group second_life.
I am a member, so it returns "true".

So if I wanted an easy hack on 'Group Roles' on my rails application,
it's as easy as creating some user groups invite only on jyte and
asking jyte if someone is a member of a role when they do something
like access the Administrator page(s) instead of coding all of that
myself, likely insecurely.

When combined with Personas, which are basically an OpenID AltAccount
from the same OpenID AuthURL. For instance, I could login at my OpenID
Provider and be given a list of Personas to choose. Say I'm using SL's
OpenID system, and I have two accounts, Kamilion Schnook and SLLabs
Backer. Both of them would be set up as Personas.

To login to SL, instead of a username and password, I would input my OpenID URL,
http://www.sllabs.com/kamilion/
and llmozlib would be redirected to the OpenID login, which is set up
to automatically log me in with a client certificate. I would then be
presented with the Persona list, and choose SLLabs Backer, and then
click Allow Once. If I wanted, I could also select Allow Always.
I would then be logged into SL as SLLabs Backer, without ever leaving
the SL client.

Same goes for logging into the website or the forums, I just provide
my OpenID URL, then choose a persona.

Since OpenID can exchange information about a person, and you select
what information you want to provide through your provider, you can do
very powerful things.

If Linden Labs were to use OpenID as an authentication mechanism, they
would likely need to meet the following:

1> Be an OpenID consumer. (Allow OpenIDs from other providers.)
2> Be an OpenID Provider. (Accept OpenID Requests from others.)
3> Be an OpenID Proxy. (Login to a LLOpenID from an outside OpenID and
return extended data.)

Now, the extended data that should be available from an LLOpenID:
1> SLFirstname
2> SLLastname
3> SLAgentKey
4> SLIsOnline
5> SLBornDate
6> SLPaymentInfoOnFile
7> SLPartner(?)

Same public info as an avatar profile in SL.

With this, it would be possible to be a complete SL newbie: Sign up
for SL. Get an OpenID with an SL account. Take that OpenID URL to
slexchange.com, and attempt to login there.
You're redirected to openid.secondlife.com, which asks you to log in,
then asks you which persona, then asks to confirm what data on file
you want to share with slexchange.com. In this case, SLExchange wants
to know your email address, SL first, last, key, and isonline.
SLExchange now knows the person's key (like using a SLex terminal to
associate an SLExchange account with a Second Life account) and the
person adds L$100. They then go and purchase an item for L$100, and
since SLExchange already has their key and knows they are currently
online, the item is immediately delivered.

The only thing the user did to SLExchange was give their OpenID URL.
No signup form with the same questions over and over again, no email
link activation.

>From what I've seen from OpenID already, it seems it meets most of
what the people are clamoring about. SSL Certificates are already
supported. Alt accounts are Personas.

To sum up:
OpenID for Second Life
Yes, you can pick your alt (Personas are an integral feature of
OpenID, handled by the provider)
Yes, it's all done within the SL Client (No need to open an external browser)
Yes, it does support AJAX (for great justice)
Yes, crypto is mandatory (No more plaintext passwords buzzing over the wire)
Yes, you can use SSL Certificates (Firefox/Mozilla support this, so
llmozlib likely does too)
Yes, it's already widely used and mostly trusted. (AOL, Digg, Six
Apart, livejournal)

Right now, there's only one really major nagging issue:
Is llmozlib up to the task?

At the current point in time, I think it could use some work.
Proxy support NEEDS to work. That is the most pressing issue.
Other than that, it will work fine. SSL has already been working for a
while now (Tested by any https:// link with a valid server certificate
in the Web Profile section.)

The only change users will notice, is instead of a login/password box,
there is an OpenID URL box. I would suggest a dropdown text box that
remembers OpenID URLs.

Anyway, that's a pretty lengthly overview of OpenID from a n00b.
I hope this has interested more people in this solution once the
questions about it are answered. Comments?