Oauth App Registration? When?


#1

It has been said that we will be able to register our apps for HiFi Oauth. When is this going to happen? It is already implemented as we can see with the Digital Ocean accounts.

Is this going to happen soon or does HiFi plan to keep this to themselves and their “business partners” for monopolization reasons? The only reason I suspect they might not open it up is because of their attitude with HFC and keeping it centralized.

The idea of centralizing anything is contrary to the ideological goals of HighFidelity (the word “decentralized” has been thrown around a lot when hyping hifi) and is the only reason many of us are here in the first place. Is centralization of everything going to become a thing now?


#2

By ‘apps’ do you mean marketplace apps like fingerpaint, etc? If the answer is yes, our strategy there will be to allow apps to be registered in the marketplace just like we are now doing with static models - https://highfidelity.com/marketplace/items/new

We will issue a certificate for approved apps, but our longer term intent is that we would be like a certificate authority in that regard - your client will have settings as to what certificate authorities you respect, and would use that to decide what apps to run.

Is that helpful? Is there a different mechanism you are talking about?


#3

My main concern is being able to authenticate users for third-party apps and domains (like twitter Oauth or facebook apps). If that doesn’t happen then users will have to login to apps and domains every 3 seconds (for instance instant messenger apps, or entering an adult domain that requires age verification).

Not only would this be a PITA for everyone but it is also a security issue as many internet users tend to use the same password everywhere. Also a PITA for developers and domain owners since we would all have to come up with our own authentication mechanisms and security for said mechanisms.


#4

Unless I am mistaken or misunderstanding, OAuth is how you log into a domain today. You never give a HF password to a domain you are visiting. You login to HF centrally, and we give a token to the domain that is asking about you.

In the longer term, we will switch to a blockchain based ID system where you on login you would sign a message to the domain owner proving you own a public key where a given accountname was stored.


#5

Any chance we could do this with scripts too? Sort of like where you can sign into other sites using your facebook login?


#6

You will be able to prove blockchain ID to a script just as easily. You send it a message with the address and a signed message proving you own it. Script looks at the value stored at the public address, sees that it is an account name wrapped in a cert from HF saying this is the official person.


#7

Awesome! Thanks Philip