Difference between revisions of "OGP Authentication Draft 3"

From Second Life Wiki
Jump to navigation Jump to search
(New page: <span style="font-size: 200%;">Open Grid Protocol: Foundation</span> :<small>'''Draft 3'''</small> :<small>'''September 2008'''</small> ::''Notice: This draft is for public comment. '' ::...)
 
m (Protected "OGP Authentication Draft 3" [edit=sysop:move=sysop])
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
<span style="font-size: 200%;">Open Grid Protocol: Foundation</span>
<span style="font-size: 200%;">Open Grid Protocol: Authentication</span>
:<small>'''Draft 3'''</small>
:<small>'''Draft 3'''</small>
:<small>'''September 2008'''</small>
:<small>'''September 2008'''</small>
Line 5: Line 5:


::<small>Mark Lentczner (Zero Linden) Linden Lab zero.linden@secondlife.com</small>
::<small>Mark Lentczner (Zero Linden) Linden Lab zero.linden@secondlife.com</small>
::<small>Tess Chu (Tess Linden) Linden Lab tess@lindenlab.com</small>
::<small>Meadhbh Hamrick (Infinity Linden) Linden Lab infinity@lindenlab.com</small>
::<small>Copyright 2008, Linden Lab. All rights reserved. </small>
::<small>Copyright 2008, Linden Lab. All rights reserved. </small>


Line 12: Line 14:


:<small>'''Abstract'''</small>
:<small>'''Abstract'''</small>
::<small>The Second Life Open Grid Protocol documents define the protocols by which a vast, Internet wide virtual world can operate. This protocol enables different regions of the virtual world to be operated independently, yet interoperate to form a cohesive experience. </small>
::<small>Authentication in Open Grid Protocol establishes the connection between a viewer of a virtual world and an agent domain that manages an avatar account. </small>


:<small>'''Status'''</small>
:<small>'''Status'''</small>
Line 20: Line 22:


{{RightToc}}
{{RightToc}}
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1 Structure | discuss]]</span>
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1 Agent Login (Resource Class) | discuss]]</span>
== Structure ==
== Agent Login (Resource Class) ==


<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-1 Domains | discuss]]</span>
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-1 introduction | discuss]]</span>
=== Domains ===
=== introduction ===


This protocol is about a three way interaction between viewer, agent and region in order to facilitate a shared experience between people.  
Authentication is the first step in associating a client application with the agent domain, and subsequently, one or more regions. Before a client application may interact with the agent domain, it must authenticate itself by presenting credentials proving it has the right to control the agent. Authentication is the process of presenting an "Identifier" and an "Authenticator" to the agent domain and receiving a "Capability" providing further access to system resources or an actionable error description. The protocol defines an identifier as an agent or account information, distinct from its related authenticator.  


The viewer is the element that senses and acts on the state of the virtual world. The viewer does so from the vantage point of an agent. An agent is persistent identity and persona that interacts in a virtual world. The agent persists and can be interacted with even when the user controlling it (though a viewer) is off-line. Regions are persistent locations in the virtual world. Multiple agents may be present in a region at the same time, and when they are they have a shared experience.  
Authentication begins by requesting the  >>> code
agent_login resource; that is, POSTing the "LLSD" description of an identifier and an authenticator to a well-known URL. The agent domain managing this resource then makes an access control decision based on the verity of the credential and the state of the agent domain. The result of this authentication, whether success or failure, it is returned to the client application via a LLSD message. The content and form of these messages are provided below in "LLIDL format."


Groups of regions and agents are managed by domains. A region domain is responsible for a collection of regions. An agent domain manages agent accounts.
The authentication process results in one of seven classes of response from the agent domain:


This protocol makes few assumptions about how a domain manages its collection of elements. In particular, it does not assume that a region will be entirely managed on a single host, nor that an agent will or won‚Äôt be managed by a single process.  
* success
* deferred success due to maintenance
* authentication non-success due to missing secret
* authentication failure
* agent selection failure
* "user intervention required" failure, and
* "non-specified" failure.  


It is useful to think of the “stance” that each element takes in the three-way protocol:
Responses to authentication requests are successes, non-successes and failures. A "success" indicates the client application should have enough information to progress past the authentication phase and begin using the service. A "deferred success" implies use of the system will continue after a "short" period. In either case, the agent domain does not expect the client application to re-submit the  >>> code
agent_login request. Authentication "non-success" results from a client requesting per-agent or per-account authentication parameters. After sending a "non-success", the agent domain expects the client to resubmit the  >>> code
agent_login request "shortly." Failures of all type indicate the agent domain believes a condition exists requiring explicit user intervention. In the case of an authentication failure, the user should either retry the authentication request or recover their password. A failure due to "user intervention required" indicates the agent domain believes the user's account is in a state that required "out of band" recovery. Reading and accepting the agent domain's Terms of Service or Critical Messages are examples of recovering from "user intervention required" failures. Non-Specified failures indicate a non-recoverable problem that is not defined in this specification.


The viewer is the direct proxy for a human that wants to control an agent. This control can be direct as in the case of an interactive 3D viewer, or indirect as in the case of a web site that the user directs to display their agent‚Äôs status.  
The section below on Processing Expectations provides more guidance.  


The agent domain is responsible for the agent itself. The persistent state of the agent is held within the agent domain, and requests to interact with the agent, even by the viewer, are mediated by the agent domain.
==== Account identifiers and Agent identifiers ====


The region domain runs the live simulations of regions in the virtual world. The region domain manages the persistent state of these regions.  
Client applications may authenticate using an "Account Identifier" or an "Agent Identifier". Either type of identifier may be used for authentication. An agent domain MUST support one of the two types of identifiers, and MAY support both. Client applications SHOULD support both identifier types.  


An "Account" is an administrative object holding one or more references to an "Agent." This is advantageous in situations where:


<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-2 Basic Flow | discuss]]</span>
# the agent domain does not wish to use an agent first name and last name to identify a user, but wishes to use another identifier (such as an email address or account number,) or
=== Basic Flow ===
# the agent domain wishes to allow users with several agents to authenticate with the same authenticator, freeing them from the requirement of memorizing each individual agent authenticator..


The basic flow of the protocol is:
Please note this spec does not imply a structure to the account identifier. Though an agent domain may use an email address as an account identifier, the protocol does not require it and treats the identifier simply as an opaque sequence of octets.


# The viewer authenticates to an agent domain for the authorized control of a particular agent.
# The viewer directs the agent domain to to place the agent in a region.
# The agent domain contacts the region domain for the region, and negotiates placement of the agent.
# The region grants access to the agent domain, which in turn passes some of that granted access on to the viewer.


At this stage, each entity will have access to many resources in the other entities. For example:
==== Flexible Authentication ====


* The viewer has access to region resources that let it move the avatar.
This revision of the Open Grid Protocol defines, but does not require the use of, two additional authentication schemes: challenge-response and PKCS#5 Key Derivation 2.  
* The region has access to viewer resources that update the state of objects in the region.
* The viewer and agent have access to resources in each other to facilitate text messaging.  




<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-3 Structure of the Protocol | discuss]]</span>
=== Structure of the Protocol ===


The protocol is fundamentally composed of individual resources that can be invoked by one entity in the system upon another. Each resource is a member of a resource class that describes the syntax and semantics of invoking the resource. The bulk of this document, when complete, will describe the several hundred resource classes that make up the virtual world.
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-2 Service Location | discuss]]</span>
=== Service Location ===


The resource classes are composed into suites that form logical groupings, though suites do not otherwise play a part in the protocol.  
Each Agent Domain MUST have a well known and published authentication URL. The Second Life agent domain authentication URL is:


In order to facilitate migration from the currently running version of Second Life, legacy resources return information that allow entities to continue to communicate using the existing protocols and structures. These protocols and structures are not described by this document. It is the intention that when this work is complete, none of these legacy resources will be in use.  
https://login.agni.secondlife.com/cgi-bin/auth.cgi


Agent and region domains have a few resources that are available at well known URLs. All other resources in the agent and region domains are accessed via capabilities obtained from the those few initial resources.


Since viewers are typically behind firewalls that do not allow connection, resources in the viewer are accessed by event queues held in the agent and region for the viewer. The viewer uses the “long poll” technique to efficiently proxy these inward resource invocations.
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-3 Inputs | discuss]]</span>
=== Inputs ===


LLIDL descriptions are provided below for both agent identifiers and account identifiers. Client applications may use either as the basis for authentication.


<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-4 Document Structure | discuss]]</span>
==== Agent Identifier ====
=== Document Structure ===


OGP is a large suite of interrelated protocols. Each major protocol set is described in its own document. For examples, see the OGP Authentication and OGP Teleport documents. This document describes the base facilities and concepts upon which the other protocols are based. To be compliant with OGP, an implementation must conform to this document, and may implement any of the other protocol sets that are deemed relevant.  
An agent identifier contains the first and last name of an agent.  




==== Account Identifier ====


<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2 Base Protocols | discuss]]</span>
An account identifier must contain the  >>> code
== Base Protocols ==
account_name key. This is the opaque sequence of octets used by the agent domain to identify the user. If an account is associated with multiple agents, the client application SHOULD include the  >>> code
first_name and  >>> code
last_name of the agent the user wishes to use.


<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2-1 Resources, HTTP & REST | discuss]]</span>
=== Resources, HTTP & REST ===


All interaction between entities is through a client invoking a resource. Resources are invoked either directly via HTTP, or through an event queue.
==== Hashed Password Authenticator ====


For each resource class, this protocol defines how the client obtains the URL, the HTTP verb (or verbs) to be used, the request and response bodies (if any), and significant status codes. Resource classes are designed with REST style semantics.  
When a hashed password is used as an authenticator, the string '$1$' is prepended to the UTF-8 encoding of the password and processed with the MD5 cryptographic hash function.  >>> bibref
This revision of the Open Grid Protocol specification requires the use of MD5 with the hashed password authenticator. It also requires the presence of the >>> code
algorithm key, and that the value of this key be the string 'md5'. Note that future versions of this specification may ALLOW or REQUIRE the use of other cryptographic hash functions.  


In general, HTTP & REST are used as follows: The URL will be either well-known in advance or returned in a response from another resource. The latter is called a capability. Except for security reasons, URLs are always treated as opaque. Clients should not modify them. Parameters are never added to them via the query section. Resource handlers must be prepared to ignore query sections.


Resources follow general REST semantics and so respond to one of these verb sets:
==== Challenge-Response Authenticator ====


{| border="1"
The Challenge-Response scheme allows the agent domain to select a session specific "Salt" to be used in conjunction with the user's password to generate an authenticator. In this scheme the authenticator is the hash of the salt prepended to the hash of '$1$' prepended to the password. This revision of the Open Grid Protocol specification requires the use of SHA256 with the challenge-response authenticator.  >>> bibref
|-
It also requires the presence of the  >>> code
|
algorithm key, and that the value of this key be the string 'sha256'. Note that future versions of this specification may ALLOW or REQUIRE the use of other cryptographic hash functions.
GET
|
for cacheable resources
|-
|
GET, PUT
|
for cacheable resources that can be modified
|-
|
GET, PUT, DELETE
|
for cacheable resources that can be modified and deleted
|-
|
POST
|
for non-cacheable resources
|}


Unless otherwise stated, if a resource accepts PUT, it accepts multiple PUT invocations.  
To retrieve a session specific salt for use with the Challenge-Response authentication scheme from the agent domain, the client application sends a login request with a Challenge-Response authenticator without the secret item. If the agent domain supports this authenticator, it MUST respond with a 'key' condition including a salt and MAY include a duration in the response. If the duration is present, it denotes the number of seconds for which the salt will be valid.  


::''Note: We are considering having all resources support OPTIONS ''
::''Note: The Challenge-Response Authentication Scheme is not currently deployed on the Second Life Grid. ''


The request and response bodies are transmitted as serialized LLSD data. If a resource has no response defined, then it can return either an undefined value, an empty map, or have a zero length response body.


HTTP status codes should only be used to indicate the status of the HTTP interaction itself. In general, if the resource is reachable, and the request understood, a 2xx code should be returned.
==== PKCS#5 PBKDF2 Authenticator ====


::''Note: Something about redirection - is it supported? Probably not… ''
The PKCS#5 PBKDF2 authenticator is an implementation of RSA Labs' Public Key Cryptographic Standards #5 v2.1 Password Based Key Derivation Function #2.  >>> bibref
In this scheme, the hash of the string '$1$' prepended to the password is used in conjunction with a salt, iteration count and hash function to generate an authenticator. This revision of the Open Grid Protocol specification requires the use of SHA256 with the PKCS#5 PBKDS2 authenticator. It also requires the presence of the  >>> code
algorithm key, and that the value of this key be the string 'sha256'. Note that future versions of this specification may ALLOW or REQUIRE the use of other cryptographic hash functions.


HTTP headers, both for the request and the response are never part of a resource class definition. Headers are handled as per the HTTP standard.  
As with the Challenge-Response authenticator, the agent domain MUST include the salt and iteration count in its response to an authentication request that is made without a secret item. Conforming agent domains may include a duration in their response indicating the number of seconds for which the salt and iteration count will be valid.  


::''Note: The PKCS#5 PBKDF2 Authentication Scheme is not currently deployed on the Second Life Grid. ''


<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2-2 LLSD | discuss]]</span>
=== LLSD ===


All data in this system is defined by LLSD. LLSD is an abstract way of talking about structured data. It is defined in the document "LLSD".


::''Note: This needs to be a normative reference. ''
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-4 Response | discuss]]</span>
=== Response ===


==== Serialization ====
The response to the agent login message is notice of one of seven "conditions":


When used as part of OGP, the XML and JSON serializations of LLSD  >>> rfc2119
* authentication success
must be supported.  
* maintenance deferred success
* authentication non-success
* authentication failure
* agent selection failure
* "user intervention required" failure, and  
* "non-specific" failure.  


::''Note: As deployed, only XML serialization is implemented. ''
The specification recognizes three "non-failure" responses:  


==== Success ====


Upon success, the agent domain will respond with a message containing the "Agent Seed Capability". Receipt of this capability indicates authentication was successful. This capability is then used for further interactions with the system.


<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2-3 Capabilities | discuss]]</span>
=== Capabilities ===


This protocol makes extensive use of capabilities. A capability is an opaque HTTP (or HTTPS) URL used for accessing a particular resource. The provider of the resource has three logical parts: the ''grantor '', the ''capability host '', and the ''service ''.
==== Maintenance Deferred Success ====


The grantor uses the capability host to construct a capability that maps to the service that provides the resource, then returns that capability to the client. At some point in the future, the client invokes the capability which makes a connection to the capability host. The capability host then proxies to the service to provide the resource.  
This condition indicates per-agent (or per-account) login-time maintenance is being performed. It is not an error. The response includes a maintenance cap the client application should use to get information about currently executing maintenance. For more information about maintenance, see the Maintenance section below.  


The parts that make up the provider may be separate entities or may be the same.


The client can’t invoke the resource without the capability. Typically the capability is a URL with a cryptographically secure path component. Within the capability host, this URL is mapped to the actual internal resource URL.
==== Authentication Non-Success ====


The client is free to hand the capability to other entities who become clients of the capability as well. Other than for the security considerations below, the client must not rely on any assumed structure of the capability URL.  
Authentication Non-Success is the response given when a client queries the agent domain for agent-specific or account-specific authentication parameters. In that it is the expected response to such a query, it is not an error or exception. But it is not an indication of successful authentication.  


==== Obtaining ====


For each resource a client wants to invoke, the capability must be obtained. In a few cases, the capability will have been expressly returned in the result of some other resource. Usually, the system uses a seed capability (see below) to request the capability for a given resource by name.


<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-5 Errors and Exceptions | discuss]]</span>
=== Errors and Exceptions ===


==== Invocation ====
==== Authentication Failure ====


To invoke a capability, the holder performs an HTTP transaction with the capability as the URL. The resource class the capability represents will dictate which verb (or verbs) can be used, and what the request and response bodies (if any) should be.  
An authentication failure indicates the client application did not provide enough information to authenticate the account or the agent.  




==== Lifetime & Revocation ====
==== Agent Selection Failure ====


Capabilities can be either unlimited or one-shot. Unlimited capabilities can be used multiple times, whereas one-shot can be used only once and are automatically revoked on invocation.  
An agent selection failure occurs when an account authentication request is ambiguous. In other words, the account a user has attempted to use to log in is associated with more than one agent account and the client application did not specify which account to use. The response includes a list of first_name / last_name pairs. It is expected that the client application will present this list to the user and ask which agent to use.  


::''Note: If we support the OPTIONS method, then invoking a one-shot with OPTIONS does not revoke it. ''


::''Note: What about using HEAD on a one-shot? ''
==== "User Intervention Required" Failure ====


Any capability can be revoked at will by the provider of the resource. Clients must be prepared to handle revoked capabilities. A revoked capability, when invoked must return a 4xx HTTP status code. The capability host may return a 404, even if the capability had been previously active.  
This error indicates that the agent domain cannot authenticate the user for non-technical reasons. The protocol does not attempt to describe why, or imply remediation for this error. But an agent domain that returns this response MUST provide a URL containing a message describing the condition leading to the error and remediation, if known.  




==== Names ====
==== "Non Specific" Failure ====


The resource a capability performs is identified by name. When requesting a capability, or when returning a capability, the opaque URL is identified with this name. The names of such resources are intended to be globally unique.  
This error indicates some other error exists which does not fall into one of the previous six conditions.  


Names are URIs. When a name appears without a scheme component, then it is a relative URL, considered relative to the base:


http://xmlns.secondlife.com/capability/name/


While names do exhibit path-link structure, they are to be considered opaque identifiers. For example, while the following three capability names are indeed from the same sub-system, nothing should be inferred about a capability that starts with their common prefix:
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-6 Preconditions | discuss]]</span>
=== Preconditions ===


<blockquote>
==== Client Preconditions ====
* inventory/root
* inventory/folder_contents
* inventory/move_folder


</blockquote>
It is generally assumed that before a user attempts to log into an agent domain, they will not be actively connected to that agent domain.  
While not required, this protocol prefers names that are all lower case roman letters, separated by underscores.  


It is also assumed that the user has registered their account and/or agent; user registration is outside the scope of this specification.


==== Seed Capability (Resource Class) ====
The client application SHOULD present the agent domain's Terms of Service and Critical Messages and allow a user to accept or decline them prior to attempting to authenticate.


In many cases, a sub-system will return a ''seed capability ''from which other capabilities can be requested.


{| border="1"
==== Agent Domain Preconditions ====
|-
| colspan="2" |
Seed Cabability
|-
|
Name
|
various, this is a generic resource and used in a variety of places
|-
|
URL
|
various
|-
|
Verb
|
POST
|-
|
Request
|
{ capabilities: [ ''name1, name2, … ''] }
|-
|
|
an array of the names of the capabilities being requested
|-
|
Response
|
{ capabilities: { ''name1: url1, name2: url2, … ''} }
|-
|
|
a map from the names requested to granted capabilities.
|}


The request contains an array of all resource names for which capabilities are desired. The response contains a map with an entry for each capability granted. Note: a grantor may grant all, some or none of the requested capabilities. The grantor may also grant additional capabilities that were requested, or none at all. If the grantor grants none, the response array must be empty and the HTTP status code should still be 200.  
If the agent domain requires users to read and agree to the Terms of Service or acknowledge receipt of Critical Messages prior to authentication, it must maintain a record of which accounts and agents have accepted and acknowledged these items.  


::''Note: The seed capability protocol deployed today uses the 'caps' key instead of 'capabilities' ''
Agent domains that support the concept of "suspension" or "disablement" should also maintain a record of which accounts and agents are suspended or disabled.




==== Security ====


If an end-point receives a capability from an untrusted source, it is permissible for security reasons to check the following aspects of the URL before use:  
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-7 Postconditions | discuss]]</span>
=== Postconditions ===


* The scheme should be http: or https:.
==== Client Postconditions ====
* The authority (in particular, the resolved host name) should not resolve to ports on the local machine that aren’t publicly accessible.


Following successful authentication, the client application SHOULD note that the agent has been authenticated to the agent domain. The Open Grid Protocol is NOT stateless.




<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2-4 Event Queues | discuss]]</span>
==== Agent Domain Postconditions ====
=== Event Queues ===


An event queue enables an entity to invoke resources in the viewer, which cannot be directly contact via HTTP. This is usually the case because the viewer is behind a firewall that doesn‚Äôt allow incoming TCP (and hence HTTP) connections from the region or agent domains.  
After an agent (or account) is authenticated, a seed capability is allocated for the agent. The agent domain SHOULD maintain the association between agent credentials (first_name and last_name) and the seed capability so it may be re-used if the client attempts to re-authenticate the user.  


In such a situation, the client establishes a queue of invocation requests for resources in the viewer. At the same time, the viewer uses an '''event_queue/get '''capability to effectively tunnel the requests from the client to itself.


::''Note: The event queue protocol described here matches what is deployed today, but is limited in functionality. It is expected to be superseded by a more general facility soon. ''


::''Note: The deployed event queue on the agent domain ''
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-8 Side Effects | discuss]]</span>
=== Side Effects ===


==== Restrictions ====
The agent domain SHOULD maintain the "presence" state of an agent. This state should include the agent's seed capability. If a previously authenticated and "present" agent re-authenticates successfully, the agent domain MAY return the same seed capability.


Resources accessed this way have the following restrictions:
After successful authentication, it is expected that the client will issue another request against the seed capability. To defend against potential Denial of Service attacks against the agent domain, the agent domain MAY define a timeout period for the seed capability. If the timeout period expires without a request being made against the seed capability, that seed capability will expire. Successful authentication of an agent who is "not present" has the effect of starting this timer.


* Resources are identified by their resource class name. With capabilities, there can be several resources in an entity that all conform to the same resource class. With event queues only one resource can exist for each resource class within the viewer. This is not usually a severe restriction.
The Challenge-Response Authenticator is intended to be used with a new, randomly generated salt for each authentication request. If the agent domain supports the Challenge-Response authentication scheme, it must maintain the "most recently generated salt" for some period of time (generally until the expiration of the duration period given in the authentication non-success response.)
::''Note: The next three are temporary limitations in the current protocol and are expected to be removed. Resource classes that conform to these restrictions are equivalent to messages in the current Second Life protocol. ''


* The only verb allowed is POST.
After the salt has "timed out" following an unsuccessful Challenge-Response authentication request, the agent domain MUST NOT allow the use of a previous or fixed salt value. That is, it is not correct, after the salt has expired, to use a null, fixed or previous salt. The agent domain MUST generate a new salt and return it to the client application. An unsuccessful authentication request with the Challenge-Response scheme also has the side effect of starting the salt duration timer. When this timer expires, the agent domain MUST not allow authentication with previously generated salts.  
* No response body is allowed.  
* The only status codes are 200, or 500 if the queue shuts down before all events are ack‚Äôd.  




==== Requests ====
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-9 Sequence of Events | discuss]]</span>
=== Sequence of Events ===


The event queue is an unordered list of requests. Each request is formatted as follows:  
It is possible for an authentication request to occur in conditions where multiple errors or exceptions COULD be returned. As the protocol does not support reporting multiple failure conditions, the following sequence is provided to determine the priority of failure conditions. This sequence of events is motivated by the following principles:  


<blockquote>
* The agent domain should leak no account status information to an unauthenticated user.
{ message: ''name '', body: ''arbitrary-data ''}
* Maintenance should occur after successful authentication and before account status checking in case maintenance involves the representation of these states by the agent domain.
* The agent domain should check for "administrative issues" after maintenance is complete.


</blockquote>
The sequence for authentication is as follows. At the first error, the system produces an appropriate error response.


==== Basic Flow ====
# If the authenticator provided is a Challenge-Response or PKCS#5 PBKDF2 type AND a secret is not included, the system returns an authentication non-success response.
# The secret and optional authentication parameters are used to verify the client is in possession of the shared secret. If authentication is unsuccessful, an authentication failure response is returned.
# If per-user login-time maintenance must be performed, the agent domain allocates a maintenance capability and returns it to the client application as a maintenance deferred success response.
# If an account credential was used for authentication and the account "contains" two or more agents and the client application did not provide the first_name and last_name of the agent to log in as, generate a list of all agents associated with this account and return an agent selection failure response.
# If an "administrative issue" exists such as the user is suspended, banned, must agree to the terms of service or read critical messages, the system returns a "user intervention required" response, providing a URL referencing a web resource explaining the administrative issue and describing remediation steps.
# Check to see if the authenticated agent is associated with an agent seed capability already. If so, return a success response referencing that seed capability.
# Start the seed capability timer. Allocate an agent seed capability and return it to the client application via a success response.


When the viewer invokes '''event_queue/get ''', the entity replies with the list of messages that have been queued up. The viewer takes the response, breaks it apart into a series of requests that it processes on itself, as resource invocations that the entity wanted to perform. When those invocations are processed, the viewer indicates in its next invocation of '''event_queue/get '''that the previous set was completed. While it takes two resource invocations of '''event_queue/get '''to tunnel a set of invocations in the other directions, subsequent transactions are chained, since the acknowledgement of a previous set of requests is performed in the same invocation that gets the next set.


<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 1-10 Interface (POST) | discuss]]</span>
=== Interface (POST) ===


==== Acknowledgement ====
The following text describes the LLIDL description of the agent_login messages.


The response to '''event_queue/get '''includes a sequence number for the batch of requests. When the viewer has processed a batch of requests, acknowledges them in the next invocation of '''event_queue/get '''. If unacknowledged, the event queue in the entity may either resend the same requests batched with any new requests, or may treat them as lost.  
; authenticators
  ; hashed password authenticator
  &authenticator = {
    type: 'hash',          ; identifies this authenticator as a "hashed" type
    algorithm: 'md5',      ;
    secret: binary          ; hash of the salt prepended to the password;
                            ;  s = h( '$1$' | pw )
  }
 
  ; challenge response style authenticator
  &authenticator = {
    type: 'challenge',      ; identifies this as a "challenge response" type
    algorithm: 'sha256',    ;
    salt: binary,          ; optional - ( 0x24, 0x31, 0x24 ) used if not present
    secret: binary          ; hash of the salt prepended to the password;
                            ;  s = h( salt | h( '$1$' | pw ) )
  }
  ; PKCS#5 PBKDF2 style authenticator
  &authenticator = {
    type: 'pkcs5pbkdf2',    ; identifies this authenticator as a PKCS#5 PBKDF2
    algorithm: string,      ; identifier for hash ('md5' or 'sha256')
    salt: binary,          ; optional - ( 0x24, 0x31, 0x24 ) used if not present
    count: integer,        ; optional - 1 used if not present
    secret: binary          ; hash of the salt prepended to the password;
                            ;  s = pbkdf2( h('$1$' | pw), salt, count, 128 )
  }
; identifier types
  ; account identifier
  &identifier = {
    type: 'account',        ; identifies this as an "account identifier"
    account_name: string,
    first_name: string,    ; optional - first_name and last_name identify
    last_name: string,      ;  agent to log in as for accounts with more than
                            ;  one agent
  }
  ; agent identifier
  &identifier = {
    type: 'agent',          ; identifies this as an "agent identifier"
    first_name: string,
    last_name: string,
  }
; request
  &credential = {
    identifier: &identifier,      ; account or agent identifier
    authenticator: &authenticator  ; 'hash', 'challenge' or 'pkcs5pbkdf2'
  }
; response
  ; successful response
  &response = {
    condition: 'success',
    agent_seed_capability: uri    ; URL of the agent seed cap
  }
  ; authentication failure
  &response = {
    condition: 'key',
    salt: binary,            ; optional - salt for challenge and PKCS5 authenticators
    count: integer,          ; optional - iteration count for PKCS5 authenticators
    duration: integer        ; optional - the duration of the validity period of the salt
                              ;  and count values in seconds
  }
  ; maintenance "non success"
  &response = {
    condition: 'maintenance',
    maintenance_capability: uri, ; URL of the maintenance cap
    completion: integer          ; an estimate for maintenance duration (in seconds)
  }
 
  ; agent select failure
  &response = {
    condition: 'select',
    agents: [ first_name: string, last_name: string ... ]
  }
         
  ; administrative failure
  &response = {
    condition: 'intervention',
    message: uri                ; a URI with human-readable text explaining what
                                  ; the user must do to continue
  }
  ; non-specific error
  &response = {
    condition: 'nonspecific',
    message: string              ; a string describing the failure
; resource definition
%%agent_login
->&credential
<-&response
 
 
 
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2 Login-Time Maintenance (Resource Class) | discuss]]</span>
== Login-Time Maintenance (Resource Class) ==
 
An agent domain has the option of performing "per-user, login-time maintenance" as part of the authentication sequence. Performing maintenance after a user is authenticated and before an avatar is "rezzed" in a region has several advantages:
 
* it reduces system-wide downtime
* it distributes maintenance across time, and
* it consumes computational resources only for those agents who use the system
 
The agent domain signals it is performing maintenance by returning a "Maintenance Capability" instead of a seed capability following successful authentication. The maintenance capability represents a finite sequence of transactions performed by the agent domain on the user's behalf. It is expected that maintenance is a task that will complete in a "tractable" amount of time.
 
The maintenance capability may be queried to retrieve information about the transactions that are occuring, including:
 
* a textual description of the maintenance being performed
* an estimate for how long the maintenance will take to complete
 
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2-1 Service Location | discuss]]</span>
=== Service Location ===
 
The agent domain may provide a maintenance capability to the client application in response to successful authentication. This capability is communicated as an URL to a web based service that accepts LLSD queries.
 
'maintenance' capability from
 
 
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2-2 Verb | discuss]]</span>
=== Verb ===
 
GET
 
 
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2-3 Inputs | discuss]]</span>
=== Inputs ===
 
There are no parameters to a maintenance capability request.  




==== Long Poll ====
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2-4 Response | discuss]]</span>
=== Response ===


Both viewers and entities must be prepared to handle use the ‚Äúlong poll‚Äù technique to keep the flow of requests timely. Viewers must be prepared to handle that invoking '''event_queue/get '''may take a relatively long time to return, as the entity may choose to delay responding if there are no requests pending, or if it believes it would be better to wait for more requests to queue. Entities must be prepared to handle viewers that request as soon as they are ready for events with no delay. Both sides must be prepared to handle time outs and retries.  
There are three responses to a maintenance capability: a description of ongoing maintenance, a new maintenance capability describing another sequence of maintenance transactions, or a seed capability. These responses are identified with the condition items: 'ongoing', 'next' and 'complete'.  


The 'ongoing' response to a maintenance capability request includes a simple textual description of the maintenance performed, an estimate for how long the maintenance is expected to take, and a validity duration for the capability. The estimate for how long maintenance will take is provided so client applications may provide feedback to the user. The validity duration gives the viewer a minimim time period the agent domain will maintain the maintenance capability.


==== Closing the Queue ====
When the agent domain returns a 'next' response, it indicates that the current maintenance is complete, but a new maintenance must be performed before the agent may be placed into a region. The 'next' response includes the URL of the next maintenance capability as well as an integer describing the minimum time period the agent domain will maintain the maintenance capability.


When the viewer is ready to terminate the queue, meaning that it wishes to be done accepting requests, it may signal such by including the done flag in the next invocation of '''event_queue/get '''. This value is purely advisory, but enables entities to cleanly flush remaining events, and release resources.  
When an agent domain returns a 'complete' response, it indicates that all maintenance is complete. The response includes the agent seed capability that may be used to place the user's avatar in a region. It also includes an item describing the validity period for the current maintenance capability.  




==== Event Queue Get (Resource Class) ====
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 2-5 Interface (GET) | discuss]]</span>
=== Interface (GET) ===


This resource is a capability both in the agent and in the region, for implementing a tunneled series of resource invocations from the entity back to the client:
The following text describes the LLIDL description of the agent_login messages.


{| border="1"
&response = {
|-
  condition: 'ongoing',
| colspan="2" |
  description: string,
Event Queue Get
  duration: integer,          ; how many seconds before maintenance is complete
|-
  validity: integer          ; how many seconds before this capability expires
|
}
Name
|
event_queue/get
|-
|
URL
|
capability
|-
|
Verb
|
POST
|-
|
Request
|
{ ack: ''sequence-number '', done: ''done-flag ''}
|-
|
   
   
|
&response = {
On the first invocation for a given resource, sequence-number must be undef. If done-flag is true, then the client is signaling its intention to stop polling if there are no more events.
  condition: 'next',
|-
  description: string,
|
  maintenance_capability: uri ; the URL for the next maintenance capability
Response
  validity: integer          ; how many seconds before this capability expires
|
}
{ id: ''sequence-number '', events: [ ''requests '', … ] }
|-
|
   
   
|
&response = {
See above for format of requests. Events may be empty.See above for format of requests. Events may be empty.  
  condition: 'complete',
|}
  agent_seed_capability: uri  ; the agent's seed cap
  validity: integer          ; how many seconds before this capability expires
}
%%maintenance
->undef
<-&response
 
 
 
<span style="float:right; font-size:80%; color:red;">[[SLGOGP_Draft_1/Discuss 3 References | discuss]]</span>
== References ==
 
>>> blist
>>> bibl
[http://tools.ietf.org/html/rfc1321 Rivest, R. "The MD5 Message-Digest Algorithm" <http://tools.ietf.org/html/rfc1321>] >>> bibl
[http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf "Federal Information Processing Standards Publication 180-2 (+ Change Notice to include SHA-224) <http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf>] >>> bibl
[http://tools.ietf.org/html/rfc2898 Kaliski, B. "PKCS #5: Password-Based Cryptography Specification Version 2.0" <http://tools.ietf.org/html/rfc2898>]

Latest revision as of 12:36, 10 September 2008

Open Grid Protocol: Authentication

Draft 3
September 2008
Notice: This draft is for public comment.
Mark Lentczner (Zero Linden) Linden Lab zero.linden@secondlife.com
Tess Chu (Tess Linden) Linden Lab tess@lindenlab.com
Meadhbh Hamrick (Infinity Linden) Linden Lab infinity@lindenlab.com
Copyright 2008, Linden Lab. All rights reserved.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 license. See http://creativecommons.org/licenses/by-sa/3.0/for details.
All contributions to this document must be contributed under the Second Life Project Contribution Agreement. See http://wiki.secondlife.com/wiki/Project:Contribution_Agreementfor details
Abstract
Authentication in Open Grid Protocol establishes the connection between a viewer of a virtual world and an agent domain that manages an avatar account.
Status
As of Summer 2008, this protocol is a work in progress. While the major structural elements have been designed, the specific elements for many needed resources have not. This work is being undertaken by Linden Lab and its community based Architecture Working Group.
This protocol is being defined in light of feature set of Second Life. For now, where this document is currently lacking details, familiarity with Second Life will be assumed. It is an express aim of this work to enable the live, gradual migration of Second Life to using this new protocol as the development proceeds.

discuss

Agent Login (Resource Class)

discuss

introduction

Authentication is the first step in associating a client application with the agent domain, and subsequently, one or more regions. Before a client application may interact with the agent domain, it must authenticate itself by presenting credentials proving it has the right to control the agent. Authentication is the process of presenting an "Identifier" and an "Authenticator" to the agent domain and receiving a "Capability" providing further access to system resources or an actionable error description. The protocol defines an identifier as an agent or account information, distinct from its related authenticator.

Authentication begins by requesting the >>> code agent_login resource; that is, POSTing the "LLSD" description of an identifier and an authenticator to a well-known URL. The agent domain managing this resource then makes an access control decision based on the verity of the credential and the state of the agent domain. The result of this authentication, whether success or failure, it is returned to the client application via a LLSD message. The content and form of these messages are provided below in "LLIDL format."

The authentication process results in one of seven classes of response from the agent domain:

  • success
  • deferred success due to maintenance
  • authentication non-success due to missing secret
  • authentication failure
  • agent selection failure
  • "user intervention required" failure, and
  • "non-specified" failure.

Responses to authentication requests are successes, non-successes and failures. A "success" indicates the client application should have enough information to progress past the authentication phase and begin using the service. A "deferred success" implies use of the system will continue after a "short" period. In either case, the agent domain does not expect the client application to re-submit the >>> code agent_login request. Authentication "non-success" results from a client requesting per-agent or per-account authentication parameters. After sending a "non-success", the agent domain expects the client to resubmit the >>> code agent_login request "shortly." Failures of all type indicate the agent domain believes a condition exists requiring explicit user intervention. In the case of an authentication failure, the user should either retry the authentication request or recover their password. A failure due to "user intervention required" indicates the agent domain believes the user's account is in a state that required "out of band" recovery. Reading and accepting the agent domain's Terms of Service or Critical Messages are examples of recovering from "user intervention required" failures. Non-Specified failures indicate a non-recoverable problem that is not defined in this specification.

The section below on Processing Expectations provides more guidance.

Account identifiers and Agent identifiers

Client applications may authenticate using an "Account Identifier" or an "Agent Identifier". Either type of identifier may be used for authentication. An agent domain MUST support one of the two types of identifiers, and MAY support both. Client applications SHOULD support both identifier types.

An "Account" is an administrative object holding one or more references to an "Agent." This is advantageous in situations where:

  1. the agent domain does not wish to use an agent first name and last name to identify a user, but wishes to use another identifier (such as an email address or account number,) or
  2. the agent domain wishes to allow users with several agents to authenticate with the same authenticator, freeing them from the requirement of memorizing each individual agent authenticator..

Please note this spec does not imply a structure to the account identifier. Though an agent domain may use an email address as an account identifier, the protocol does not require it and treats the identifier simply as an opaque sequence of octets.


Flexible Authentication

This revision of the Open Grid Protocol defines, but does not require the use of, two additional authentication schemes: challenge-response and PKCS#5 Key Derivation 2.


discuss

Service Location

Each Agent Domain MUST have a well known and published authentication URL. The Second Life agent domain authentication URL is:

https://login.agni.secondlife.com/cgi-bin/auth.cgi


discuss

Inputs

LLIDL descriptions are provided below for both agent identifiers and account identifiers. Client applications may use either as the basis for authentication.

Agent Identifier

An agent identifier contains the first and last name of an agent.


Account Identifier

An account identifier must contain the >>> code account_name key. This is the opaque sequence of octets used by the agent domain to identify the user. If an account is associated with multiple agents, the client application SHOULD include the >>> code first_name and >>> code last_name of the agent the user wishes to use.


Hashed Password Authenticator

When a hashed password is used as an authenticator, the string '$1$' is prepended to the UTF-8 encoding of the password and processed with the MD5 cryptographic hash function. >>> bibref This revision of the Open Grid Protocol specification requires the use of MD5 with the hashed password authenticator. It also requires the presence of the >>> code algorithm key, and that the value of this key be the string 'md5'. Note that future versions of this specification may ALLOW or REQUIRE the use of other cryptographic hash functions.


Challenge-Response Authenticator

The Challenge-Response scheme allows the agent domain to select a session specific "Salt" to be used in conjunction with the user's password to generate an authenticator. In this scheme the authenticator is the hash of the salt prepended to the hash of '$1$' prepended to the password. This revision of the Open Grid Protocol specification requires the use of SHA256 with the challenge-response authenticator. >>> bibref It also requires the presence of the >>> code algorithm key, and that the value of this key be the string 'sha256'. Note that future versions of this specification may ALLOW or REQUIRE the use of other cryptographic hash functions.

To retrieve a session specific salt for use with the Challenge-Response authentication scheme from the agent domain, the client application sends a login request with a Challenge-Response authenticator without the secret item. If the agent domain supports this authenticator, it MUST respond with a 'key' condition including a salt and MAY include a duration in the response. If the duration is present, it denotes the number of seconds for which the salt will be valid.

Note: The Challenge-Response Authentication Scheme is not currently deployed on the Second Life Grid.


PKCS#5 PBKDF2 Authenticator

The PKCS#5 PBKDF2 authenticator is an implementation of RSA Labs' Public Key Cryptographic Standards #5 v2.1 Password Based Key Derivation Function #2. >>> bibref In this scheme, the hash of the string '$1$' prepended to the password is used in conjunction with a salt, iteration count and hash function to generate an authenticator. This revision of the Open Grid Protocol specification requires the use of SHA256 with the PKCS#5 PBKDS2 authenticator. It also requires the presence of the >>> code algorithm key, and that the value of this key be the string 'sha256'. Note that future versions of this specification may ALLOW or REQUIRE the use of other cryptographic hash functions.

As with the Challenge-Response authenticator, the agent domain MUST include the salt and iteration count in its response to an authentication request that is made without a secret item. Conforming agent domains may include a duration in their response indicating the number of seconds for which the salt and iteration count will be valid.

Note: The PKCS#5 PBKDF2 Authentication Scheme is not currently deployed on the Second Life Grid.


discuss

Response

The response to the agent login message is notice of one of seven "conditions":

  • authentication success
  • maintenance deferred success
  • authentication non-success
  • authentication failure
  • agent selection failure
  • "user intervention required" failure, and
  • "non-specific" failure.

The specification recognizes three "non-failure" responses:

Success

Upon success, the agent domain will respond with a message containing the "Agent Seed Capability". Receipt of this capability indicates authentication was successful. This capability is then used for further interactions with the system.


Maintenance Deferred Success

This condition indicates per-agent (or per-account) login-time maintenance is being performed. It is not an error. The response includes a maintenance cap the client application should use to get information about currently executing maintenance. For more information about maintenance, see the Maintenance section below.


Authentication Non-Success

Authentication Non-Success is the response given when a client queries the agent domain for agent-specific or account-specific authentication parameters. In that it is the expected response to such a query, it is not an error or exception. But it is not an indication of successful authentication.


discuss

Errors and Exceptions

Authentication Failure

An authentication failure indicates the client application did not provide enough information to authenticate the account or the agent.


Agent Selection Failure

An agent selection failure occurs when an account authentication request is ambiguous. In other words, the account a user has attempted to use to log in is associated with more than one agent account and the client application did not specify which account to use. The response includes a list of first_name / last_name pairs. It is expected that the client application will present this list to the user and ask which agent to use.


"User Intervention Required" Failure

This error indicates that the agent domain cannot authenticate the user for non-technical reasons. The protocol does not attempt to describe why, or imply remediation for this error. But an agent domain that returns this response MUST provide a URL containing a message describing the condition leading to the error and remediation, if known.


"Non Specific" Failure

This error indicates some other error exists which does not fall into one of the previous six conditions.


discuss

Preconditions

Client Preconditions

It is generally assumed that before a user attempts to log into an agent domain, they will not be actively connected to that agent domain.

It is also assumed that the user has registered their account and/or agent; user registration is outside the scope of this specification.

The client application SHOULD present the agent domain's Terms of Service and Critical Messages and allow a user to accept or decline them prior to attempting to authenticate.


Agent Domain Preconditions

If the agent domain requires users to read and agree to the Terms of Service or acknowledge receipt of Critical Messages prior to authentication, it must maintain a record of which accounts and agents have accepted and acknowledged these items.

Agent domains that support the concept of "suspension" or "disablement" should also maintain a record of which accounts and agents are suspended or disabled.


discuss

Postconditions

Client Postconditions

Following successful authentication, the client application SHOULD note that the agent has been authenticated to the agent domain. The Open Grid Protocol is NOT stateless.


Agent Domain Postconditions

After an agent (or account) is authenticated, a seed capability is allocated for the agent. The agent domain SHOULD maintain the association between agent credentials (first_name and last_name) and the seed capability so it may be re-used if the client attempts to re-authenticate the user.


discuss

Side Effects

The agent domain SHOULD maintain the "presence" state of an agent. This state should include the agent's seed capability. If a previously authenticated and "present" agent re-authenticates successfully, the agent domain MAY return the same seed capability.

After successful authentication, it is expected that the client will issue another request against the seed capability. To defend against potential Denial of Service attacks against the agent domain, the agent domain MAY define a timeout period for the seed capability. If the timeout period expires without a request being made against the seed capability, that seed capability will expire. Successful authentication of an agent who is "not present" has the effect of starting this timer.

The Challenge-Response Authenticator is intended to be used with a new, randomly generated salt for each authentication request. If the agent domain supports the Challenge-Response authentication scheme, it must maintain the "most recently generated salt" for some period of time (generally until the expiration of the duration period given in the authentication non-success response.)

After the salt has "timed out" following an unsuccessful Challenge-Response authentication request, the agent domain MUST NOT allow the use of a previous or fixed salt value. That is, it is not correct, after the salt has expired, to use a null, fixed or previous salt. The agent domain MUST generate a new salt and return it to the client application. An unsuccessful authentication request with the Challenge-Response scheme also has the side effect of starting the salt duration timer. When this timer expires, the agent domain MUST not allow authentication with previously generated salts.


discuss

Sequence of Events

It is possible for an authentication request to occur in conditions where multiple errors or exceptions COULD be returned. As the protocol does not support reporting multiple failure conditions, the following sequence is provided to determine the priority of failure conditions. This sequence of events is motivated by the following principles:

  • The agent domain should leak no account status information to an unauthenticated user.
  • Maintenance should occur after successful authentication and before account status checking in case maintenance involves the representation of these states by the agent domain.
  • The agent domain should check for "administrative issues" after maintenance is complete.

The sequence for authentication is as follows. At the first error, the system produces an appropriate error response.

  1. If the authenticator provided is a Challenge-Response or PKCS#5 PBKDF2 type AND a secret is not included, the system returns an authentication non-success response.
  2. The secret and optional authentication parameters are used to verify the client is in possession of the shared secret. If authentication is unsuccessful, an authentication failure response is returned.
  3. If per-user login-time maintenance must be performed, the agent domain allocates a maintenance capability and returns it to the client application as a maintenance deferred success response.
  4. If an account credential was used for authentication and the account "contains" two or more agents and the client application did not provide the first_name and last_name of the agent to log in as, generate a list of all agents associated with this account and return an agent selection failure response.
  5. If an "administrative issue" exists such as the user is suspended, banned, must agree to the terms of service or read critical messages, the system returns a "user intervention required" response, providing a URL referencing a web resource explaining the administrative issue and describing remediation steps.
  6. Check to see if the authenticated agent is associated with an agent seed capability already. If so, return a success response referencing that seed capability.
  7. Start the seed capability timer. Allocate an agent seed capability and return it to the client application via a success response.


discuss

Interface (POST)

The following text describes the LLIDL description of the agent_login messages.

; authenticators

  ; hashed password authenticator

  &authenticator = {
    type: 'hash',           ; identifies this authenticator as a "hashed" type
    algorithm: 'md5',       ;
    secret: binary          ; hash of the salt prepended to the password;
                            ;   s = h( '$1$' | pw )
  }
 
  ; challenge response style authenticator

  &authenticator = {
    type: 'challenge',      ; identifies this as a "challenge response" type
    algorithm: 'sha256',    ; 
    salt: binary,           ; optional - ( 0x24, 0x31, 0x24 ) used if not present
    secret: binary          ; hash of the salt prepended to the password;
                            ;   s = h( salt | h( '$1$' | pw ) )
  }

  ; PKCS#5 PBKDF2 style authenticator

  &authenticator = {
    type: 'pkcs5pbkdf2',    ; identifies this authenticator as a PKCS#5 PBKDF2
    algorithm: string,      ; identifier for hash ('md5' or 'sha256') 
    salt: binary,           ; optional - ( 0x24, 0x31, 0x24 ) used if not present
    count: integer,         ; optional - 1 used if not present
    secret: binary          ; hash of the salt prepended to the password;
                            ;   s = pbkdf2( h('$1$' | pw), salt, count, 128 )
  }

; identifier types

  ; account identifier

  &identifier = {
    type: 'account',        ; identifies this as an "account identifier"
    account_name: string,
    first_name: string,     ; optional - first_name and last_name identify
    last_name: string,      ;   agent to log in as for accounts with more than
                            ;   one agent
  }

  ; agent identifier

  &identifier = {
    type: 'agent',           ; identifies this as an "agent identifier"
    first_name: string,
    last_name: string,
  }

; request

  &credential = {
    identifier: &identifier,       ; account or agent identifier
    authenticator: &authenticator  ; 'hash', 'challenge' or 'pkcs5pbkdf2'
  }

; response

  ; successful response

  &response = {
    condition: 'success',
    agent_seed_capability: uri    ; URL of the agent seed cap
  }

  ; authentication failure

  &response = {
    condition: 'key',
    salt: binary,            ; optional - salt for challenge and PKCS5 authenticators
    count: integer,          ; optional - iteration count for PKCS5 authenticators
    duration: integer        ; optional - the duration of the validity period of the salt
                             ;   and count values in seconds
  }

  ; maintenance "non success"

  &response = {
    condition: 'maintenance',
    maintenance_capability: uri,  ; URL of the maintenance cap
    completion: integer           ; an estimate for maintenance duration (in seconds)
  }
 
  ; agent select failure

  &response = {
    condition: 'select',
    agents: [ first_name: string, last_name: string ... ]
  }
          
  ; administrative failure

  &response = {
    condition: 'intervention',
    message: uri                 ; a URI with human-readable text explaining what
                                 ; the user must do to continue
  }

  ; non-specific error

  &response = {
    condition: 'nonspecific',
    message: string              ; a string describing the failure

; resource definition

%%agent_login
->&credential
<-&response


discuss

Login-Time Maintenance (Resource Class)

An agent domain has the option of performing "per-user, login-time maintenance" as part of the authentication sequence. Performing maintenance after a user is authenticated and before an avatar is "rezzed" in a region has several advantages:

  • it reduces system-wide downtime
  • it distributes maintenance across time, and
  • it consumes computational resources only for those agents who use the system

The agent domain signals it is performing maintenance by returning a "Maintenance Capability" instead of a seed capability following successful authentication. The maintenance capability represents a finite sequence of transactions performed by the agent domain on the user's behalf. It is expected that maintenance is a task that will complete in a "tractable" amount of time.

The maintenance capability may be queried to retrieve information about the transactions that are occuring, including:

  • a textual description of the maintenance being performed
  • an estimate for how long the maintenance will take to complete

discuss

Service Location

The agent domain may provide a maintenance capability to the client application in response to successful authentication. This capability is communicated as an URL to a web based service that accepts LLSD queries.

'maintenance' capability from


discuss

Verb

GET


discuss

Inputs

There are no parameters to a maintenance capability request.


discuss

Response

There are three responses to a maintenance capability: a description of ongoing maintenance, a new maintenance capability describing another sequence of maintenance transactions, or a seed capability. These responses are identified with the condition items: 'ongoing', 'next' and 'complete'.

The 'ongoing' response to a maintenance capability request includes a simple textual description of the maintenance performed, an estimate for how long the maintenance is expected to take, and a validity duration for the capability. The estimate for how long maintenance will take is provided so client applications may provide feedback to the user. The validity duration gives the viewer a minimim time period the agent domain will maintain the maintenance capability.

When the agent domain returns a 'next' response, it indicates that the current maintenance is complete, but a new maintenance must be performed before the agent may be placed into a region. The 'next' response includes the URL of the next maintenance capability as well as an integer describing the minimum time period the agent domain will maintain the maintenance capability.

When an agent domain returns a 'complete' response, it indicates that all maintenance is complete. The response includes the agent seed capability that may be used to place the user's avatar in a region. It also includes an item describing the validity period for the current maintenance capability.


discuss

Interface (GET)

The following text describes the LLIDL description of the agent_login messages.

&response = {
  condition: 'ongoing',
  description: string,
  duration: integer,          ; how many seconds before maintenance is complete
  validity: integer           ; how many seconds before this capability expires
}

&response = {
  condition: 'next',
  description: string,
  maintenance_capability: uri ; the URL for the next maintenance capability
  validity: integer           ; how many seconds before this capability expires
}

&response = {
  condition: 'complete',
  agent_seed_capability: uri  ; the agent's seed cap
  validity: integer           ; how many seconds before this capability expires
}

%%maintenance
->undef
<-&response


discuss

References

>>> blist
>>> bibl

Rivest, R. "The MD5 Message-Digest Algorithm" <http://tools.ietf.org/html/rfc1321> >>> bibl "Federal Information Processing Standards Publication 180-2 (+ Change Notice to include SHA-224) <http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf> >>> bibl Kaliski, B. "PKCS #5: Password-Based Cryptography Specification Version 2.0" <http://tools.ietf.org/html/rfc2898>