Offer resident accounts as OpenIDs

Residents should be able to use their SL accounts as OpenID identities. Allowing residents to authenticate against their Second Life accounts on third-party web sites with the OpenID protocol would benefit residents and third-party content creators alike. Creators of web services such as Snapzilla, SLboutique, and Landmarker could allow residents to sign in directly with their Second Life accounts instead of requiring separate registration and in-world authentication. Residents would be able to use fun and interesting third-party services without registering and without revealing their Second Life passwords.

For example, if Landmarker provided OpenID support, Alice Example might enter her name in a "Sign in with your SL name" field and be directed to secondlife.com/openid/ . There she would sign into secondlife.com (if she hadn't already signed in) and confirm she would like to sign into Landmarker. Then, using the OpenID protocol, secondlife.com would confirm to Landmarker that Alice is who she says she is (eg secondlife.com/users/Alice_Example ) and Landmarker would treat Alice as a regular user of the service. This is the standard way OpenID servers work.

More about OpenID is available at openid.net.

(Vote on this feature proposal here.)

I support this good idea 100%!

As it stands now every third-party service has to jump through the same hoops to do some sort of association between your avatar and your site login. This would provide a standard interface to alleviate such a repetition of effor.

In addition, though this is not in the proposal, there should be some way to provide the avatar key after successful authentication. Even though there has been a rucus about key collection in the past, this would only expose your key if you request it, by logging in to the service. This would alleviate much of the need for a key database as any inworld interaction with the authenticated user could now be done via this method of obtaining their key.

Edit: Make things more clear

Doesn't OpenID require RL names and addresses, in that one has to own a URL and therefore be "WHOIS-able"??

If you're using a remote OpenID, yes; in this case, I'm suggesting that Linden Lab provide an OpenID server for Second Life accounts. That is, the URLs are LL's, at secondlife.com. Using external OpenIDs to sign into Second Life would not only have the problems you mention, but be harder to implement. I don't mean to suggest that.

That is, I want to be able to sign into other sites as Epitaxial Playfair, not sign into Second Life with my (say) LiveJournal OpenID.

Yes, exactly.
Thanks for making that clear.

I don't yet realize the potential of this, but it does sound like something I'd want to use. I have hundreds of signups on Internet sites, it gets very tough to use, especially for places where I have to use a different login or my password was too long, etc. :\

This is a very cool idea... re-allocating votes as we speak.

I fully support this, with the addition that the users inworld key is also disseminated to the service (how this would happen is beyond me).

Hi!

As the forums are going away, it would be nice if SL would set up an OpenID service instead. This would allow residents to use their identities in a simple and verified way on external resident-run sites, so if someone reads a post on a forum claiming to be from Oddity Beeks' SL OpenID, the reader could be reasonably certain that this is in fact the case. (The forum could fake the ID, of course.)

Hi again!

I'm not sure if this amount of detail is appropriate for this thread, but what the heck!

I've hacked together a proof of concept SL OpenID system. If you go to Maryport <183,156,55> (Linux User Group meeting place) you'll find two objects. They're both the same, except one is closed and contains a secret password and the other is open (copy/mod) and contains a dummy password. (If it's no longer there, just IM me and I'll give you a demo!)

Here's how it works:

When someone touches the object (the real one with the real password), it connects to the Slope HTTP server and does a GET request which contains the name of the SL user. The server keeps a directory of user and string pairs. If the requested user is not in this directory, it is added along with a randomly generated string. Then the string, called a "nonce", connected with the user is returned in the HTTP response.

The object combines the name of the user, the secret password contained in the object and the nonce into a single data structure and calculates an md5sum of that, called an authkey. The authkey is then put along with the name into an URL which is sent to the user.

The user may load this URL, which will connect the user to the Slope HTTP server. The server, which knows the same password as the object, will calculate an authkey based on the md5sum of the name in the HTTP request, the password and the given user's string in the nonce directory. If the sum matches what was given in the URL, it must be because the URL was generated by the Slope object and thus the server has verified the identity of the person behind the HTTP client. In this case the used nonce is also removed from the nonce directory.

The server then uses the usual session cookie based mechanism to keep track of the user's identity and give the user a verified and functional OpenID identity matching the SL identity.

So, what now?

Well, if you find a flaw in this scheme or the server code, IM me. But anyway, it's just a proof of concept! I'd like LL to set up an official OpenID server, as I mentioned in my previous post. One problem with using an external OpenID system is lack of trust. When I demoed this at an in-world LUG, hardly anyone dared use the system, because they didn't trust it. And sure, a system like this could probably be used for bad things like letting Yahoo know that Foo Bar in SL is [email]petersomething@yahoo.com[/email] (whose RL address they already know), without the user actually trying to use his SL OpenID on a Yahoo site. (I'm just using Yahoo as an example here, I don't know much about their good or bad privacy track records.)

got an http 503 error (service unavailable) when i went to the url after clicking the object.

Sorry, I haven't kept the server running. It was just meant as a test/proof of concept anyway and I don't really have any land to keep it at.

If anyone wants a demo I can arrange it, but I'm really just hoping that LL will implement their own OpenID system, it would be much better for everyone.