One of the main functions of the Agent Domain is to give a viewer access to external resources such as a region, some IM service of some asset store.
In order to do that we utilize OAuth.
The requirements for this are as follows:
- The external service must be able to block access from certain Agent Domain instances.
- The external service must be able to identify an agent on an Agent Domain.
The general procedure is described below. We use the login to an IM service as an example.
The Viewer retrieves information about the IM service. This is usually done by simple service discovery on the Agent Domain or the users profile page (or a known URL which holds a service catalog for a specific user. An example could be
http://myagentdomain.com/users/taotakashi
on which we perform an XRDS discovery.
The viewer asks the user to select one of the services and contacts this service. It will pass the following information:
- the Agent Name
- the Agent Domain Authorization URL
- additional service specific parameters
The external service requests a OAuth Request Token from the Agent Domain.
The Agent Domain responds with an OAuth Request Token
Now the Agent Domain actually would need to ask the user if it’s ok to grant access to certain services. This maybe can be handled by the Viewer somehow.
Proposal: The Agent Domain sends a request message to the Viewer which pops up some question if it’s ok for the external service to access the identification service on the Agent Domain.
The Agent Domain sends a message back to the callback URL.
The external service requests an access token from the Agent Domain
The Agent Domain responds with an access token
The external service now calls the AgentInformation resource to obtain more information about the agent, like name, email etc. This actually might be an OpenSocial REST API for the profile.
Is the External Service not able to retrieve the profile information and link it