Do we really need oauth? It seems to me there’s already 1000 oauth options out there (twitter, facebook, google) that we could use to “verify” users. Also, I just don’t see anybody wanting to have to register with hifi every time they make a script that needs to know who a user is, especially if it is an open source script.
It seems to me if all we really need to know is a user is registered with hifi, a simpler approach would be just exposing digital signatures to script (the code is already there). Users don’t have access to their private key, but users do have an easily accessible public key. This would require revealing their avatar name, but since it is authentication this is information we sort of need anyway.
If data signing was exposed to script something like this:
var signature = myAvatar.signData(data)
the signature could be compared with their public key here:
And there you go, you know all you need to know. Oauth would be good for things you need email addresses or phone numbers for, but right off hand I can’t really think of anything that would need that amount of security (in which case the app creator probably should have to register their app 6 ways from sunday). Even cryptocurrency has built-in security (they have to possess their private key).
Anyway for a metaverse that wants everything to be as anonymous as possible, I don’t think oauth is a very good solution. Might as well use facebook, google or twitter for that. Anything beyond verifying an avatar’s name isn’t really needed and even if it is, another oauth is redundant.