by on / 18 comments

Diagram of authentication flow in High Fidelity

Here is an overview of the authentication flow that we referenced at a high level in the post on identity. This is where we are today in our design thinking, and have most (except DTLS) turned on right now in the alpha servers so we can test.

At a high level, domain server operators can request OAuth from people/agents accessing their virtual worlds, including various usage scopes for things like edit capabilities, importing and exporting of digital objects, and payments.  The domain servers also present certificates which are used to verify their identity to accessing clients.

Comments requested and welcome on this detailed design.

Cyberpiper Pit Vinandy on May 21, 2014

I am no IT specialilist nor programmer… I understand the idea behind high fidelity but am unable to grasp its mechanics.
I currently use secondlife for educational purposes, run 12 pcs in the tower of an old fortress which I rebuild in sl. Participants can expierience life as a soldier in 1867.
I am workin on a bigger project extending this to the whole city and fortress of Luxembourg.
I am working on getting this financed by governement and other institutions.
This is were HF puts me at odds. Will it be connected to sl as it exists? Will sl dissapear on day , to be replaced by HF?
What will happen to my eork in sl in this case? Should Igo on with my plans and buy 20 sims in sl, or should I rather propose the purchase of servers ?
These are questions that my financers will be asking .
I know you are creative busy people… Can anyone answer or give any hints to my above questions?


    Patnad on May 27, 2014

    Cyberpipper, I am in no way related with the peoples at HighFidelity, but i am mostly a builder in SL and enthusiast of Virtual Worlds in general.

    My taught on the subject you bring forward are as follow. If you have already worked with SL in the past to build your projects you should keep doing it, I truly believe High Fidelity has great potential but it is still at a very early stage right now and it will probably take a couple of years before it is as mature as SL can be (stability and popularity wise).

    I think it is a completely separate project from SL and I doubt it will ever be connected or will there be a way to transfer build from one world to another. But perhaps, since LindenLabs are also behind HF they will make very big effort and merge both worlds, who knows.

    I wish you good luck with your projects !


Nirak on May 29, 2014

You briefly mention OAuth. Is this all going to be OAuth compliant to standards and usable with existing libraries? Are we going to be able to utilize timeouts on the sessions? Can we offload authentication onto another server or treat it as an API and address our own authentication to it?


Nirak on May 29, 2014

These are slightly naive questions in some ways, but how will sessions be managed? Will we be able to monitor or terminate sessions on demand?


    Stephen Birarda on June 12, 2014

    Hey Nirak!

    Not naive questions at all – sorry for the delayed response on these.

    As far as I’ve been implementing this so far there is no secret sauce, so it is completely compliant to the OAuth 2 spec, allowing you to use whatever existing OAuth libraries you like.

    Evidently the data returned to the domain for user identity may vary, and the domain-server currently only handles the format returned by the High Fidelity data server, but it would be trivial to handle data from another OAuth provider.

    The domain owner will likely have the option to set session length, be able to monitor sessions and clear individual sessions or all of them at once. We’ll be working on this soon.

    I’m not sure I understand the last question, but let me try to answer. The domain-server could offload authentication to any OAuth provider by choosing to pass a different URL for that the interactive client should use for authentication. This would require the OAuth provider to provide an identity packet the same way the High Fidelity data server does, or would require the domain-server to handle data from a different provider when authenticating the user.


pedrw on May 29, 2014

What is the release date of High Fidelity ? Are saying that the final version of Oculus Rift will only be launched here 1 year or more. But it is very likely that competitors Oculus Rift arrive well before. I’d rather buy Oculus Rift, but does not want to wait…


Emmanuelle LaFollette on May 29, 2014

I just learned about High Fidelity last night and I am way beyond excited!!! After 10 years in Second Life, I have a huge emotional (and financial) investment in the SL world and miss the days when it was at its peak. I’m hoping my fiance (whom I met via SL) and I can get into the alpha at some point. Until then, I’ll be reading the blog regularly! :)


Robertus on June 3, 2014

There seems to be some controversy about OAuth 2.0 compared to 1.0

It seems the OAuth author has resigned from the project
–> some remarks regarding less secure etc. when I did a little search

Which version is HiFi using and what are your thoughts about the sec. remarks ?

(btw: the first 2 comments and also 1 reaction some entries later seems from spammers ?)


    Stephen Birarda on June 12, 2014

    Robertus – thanks for the heads up.

    I’ve just read that blog post and will do some more research to see what the right move is here. For now we are using OAuth 2.0.


Aree Cee on June 24, 2014

You people are fantastic and i am so ready to start living in this new world.. this will enrich so many lives and offer the chance to help those overseas form a solid foundation for learning thru long distance education

My thoughts as a Content Creator is with my business in SL & SL2.0 after when i go to offer my services on the HiFi marketplace will i have to then be forced to compete with others who are using 3rd party marketplaces because 3 grids MP is a lot but now others claiming they are going to take a big share of HiFi Market from HiFi

Just wanted to point out that many believe they can take what HiFi is offering open source then turn around and try to put HiFi out of business so i hope that plans are in effect to make these concerns unlikely.

I found this interesting quote from…
Ilan Tochner on the HGbusinesss forums..

“”We’ve downloaded the High Fidelity codebase, compiled it and played with it to understand it better. Thou far from being market ready, the underlying technology has potential. Keeping both client and server open source can help the project gain traction with developers and gives it a better fighting chance against the proprietary virtual-world solutions big corporations will eventually bring to market. We also like that the distributed nature of the system saves you from having big hosting expenses thus enabling you to use a freemium business model.

The main problem I see is that what makes this an interesting open-source project will also make it hard for High Fidelity (the company) to make a profit when companies such as Kitely can offer the same value-add services they’ll offer and do so sooner and with more advanced technology than they can have coming out of the gate. It would be very straightforward for us to enable delivery from Kitely Market to High Fidelity, all we need is business justification to do so.” (bolding added).Sounds like Kitely might have a secret weapon “”


Shawn on June 25, 2014

I just learned about this, and it sounds like a great project o be part of. I do have a BS in IT, so i am willing to learn how the virtual world is created. I don’t use SL currently, but i have in the past I am on a different virtual world client, and i am a content mesher and creator. I have some understanding of java coding, HTML, and basic protocols that are used in the connection from the client and server. I do have an working understanding of 2D and 3d software. So i would like to be part of this world, as a helper in the creation of the world and as a content creator. So off to the races.


adidas F50 on July 21, 2014

“There are many working adults today that do not have a college degree. I hope the convenience of an online class can be a first step for many of these adults to go back to school to earn their degrees,” Andrew Ng, a Stanford University researcher who co-founded Coursera, told The Associated Press.
adidas F50


David Jansson on July 23, 2014

This is a bit over my head. But in SL I have been putting a lot of work in how to make things work in the physics engine for the team sport simball, played on hover boards. The SL physics engine does have some things that are hard to work around. Like trying to make boards with lower physics cost. Turns out that the way prims drop collisions result in you going through walls and into instead of up ramps if you have a too simple collision model for the board. The ramps can be made usable by upping the number of prims you use in them and making them larger with lots of overlap. The reason prims drop collisions like that is, according to the Lindens at the user groups, that it needs to or vehicles will snag on the seams on prim roads. I am hoping that your new world will give more control over physics settings like that, so that we can make more amazing in world high tempo sports and games like Simball.

Looking forward to the Alpha!


jwjaii on July 25, 2014

The quality and realism of avatars is very important

My avatar


Alexander on August 4, 2014

Can you give us details on how the scope system will work?
I’m especially interested in granularity, given that many current oauth scope/permission systems tend to be very coarse grained, forcing apps to ask for far reaching permissions to achieve their goals.
(Actually this isn’t even oauth specific, this seems to be a general trend, see iOS/Android’s fairly coarse permission system)


    Stephen Birarda on August 28, 2014

    Reggie – sorry for the late reply on this.

    The streaming data protocol does not necessarily use DTLS. It is UDP based and optionally uses DTLS between nodes where secure communication is required.

    It would be difficult to make a client using WebRTC alone since we wouldn’t have the ability to perform UDP communication with other nodes (or DTLS over UDP, which is what we’re using for this auth flow). I believe DTLS-SRTP is an implementation of DTLS over SRTP (as the name suggests) and wouldn’t be a drop in replacement for our node to node UDP communication.


Cracker Hax on October 4, 2015

We need to be able to do this from script as well, so we can provide our own global services (antivirus, chat services, mail, scripted merchandise that works everywhere, etc. etc).


Add your thoughts


Philip Rosedale
Lifelong entrepreneur and technology innovator. CTO at RealNetworks, founder and CEO Linden Lab, creator of virtual world Second Life. Cofounder High Fidelity, Inc.