[x3d-public] X3D and Authorization (OAuth2 anyone?)

John Carlson yottzumm at gmail.com
Fri Feb 12 18:03:01 PST 2016 

I am wondering how people use X3D and Authorization and whether we need a Working Group focused on Authorization as a subsection of the Security Working Group.  A typical X3D application has no need for authorization. I can imagine several uses for Authorization:

1.  Physics and collision detection.  One does not have the authority to walk through walls.
2.  Authorizing the downloading of game levels or rooms from the server.  I can imagine JavaScript setting an authorization token in the Inline url so the url will be downloaded.
3.  Authorizing the insertion, movement, viewing and deletion of parts of the scenegraph.  This include locking down physics.  The "ground" cannot move.  The sun doesn’t disappear from the sky in 1 second.  Gravity applies.
4.  Authorizing uploads of user information.
5.  Authorizing the use of shaders with reasonable fallbacks.
6.  Authorizing the use of items once the user has reached a certain skill level (tutorials, menus).
7.  Authorizing the  reading and modification and archiving of EMRs (electronic medical records) and portions of EMRs (3D images).
8.  Authorizing the purchase of “in game” items with the user’s credit card (mobile) or account.

I am also wondering if using OAuth2 is a reasonable way to implement Authorization of this type of thing.  If a user wants to do an operation, the X3D application presents the request to an Oauth2 server which looks under the user's account to see if that authority has been granted to the X3D application or user by a server (for other users) or the user (for the main user).  These permissions may be preloaded into the X3D application to do stuff like grey out menus or preload the physics engine.

Many of these things can be programmed into an application by hand.  One advantage of abstracting them away from the application is you can define  user profiles that work across many applications.

So perhaps we should start on developing a profile of the user that can be shared across apps?  Is this part of H-Anim?

Can someone think of other authorizations that might come in handy?

I recall one time asking this question and I got back the response, HTTP session information is all we need.  Is this still the case?

Does Authentication play any role other than getting a list of permissions or authorities for the application?

Thanks,

John

More information about the x3d-public mailing list