Redoing OAuth for metaservers?

[John Carlson]

So my thought is to distribute a “web” key or bearer token via Zoom or email that allows access to a private list of links to servers on a metaserver.  Each person’s list of servers is different.  Once a server link is clicked,  they are directed to an actual meeting server.

Another thought is to combine the metaserver with a contacts/meeting organizer.

Does this seem doable with OAuth, which I haven’t researched, or is something different needed?

John 

[John Carlson]

BTW, I also want to know if this is feasible with an Electron app, in my case, Sunrize, for testing.

John 

[Alan Karp]

OAuth was designed for the web with much of the protocol working through the front end.  For example, the basic flow is for a client, such as a photo app, to make a request to a service, such as your photo store.  Since it doesn't have permission to access your photos, the request gets redirected to you in the form of a popup.  If you approve, the client gets an access token that it presents to the service.  This flow doesn't sound like what you want.

There are a few extensions to OAuth that may be closer to what you want.  GNAP (Grant Negotiation and Access Protocol) is one of them.  It includes a lot more than you need, but the flow is through the backend, which I think is what you want.

If the overhead of digital signatures isn't a problem, you should look at zcap-ld and UCAN.

--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/cap-talk/CAGC3UE%3DDwjzCNo%2Bzfnd9tQCAj18_s%2BC7bkYsoAgO2DRfjbF__w%40mail.gmail.com.

[Alan Karp]

On Fri, Jul 18, 2025 at 6:48 PM John Carlson <yott...@gmail.com> wrote:

BTW, I also want to know if this is feasible with an Electron app, in my case, Sunrize, for testing.

OAuth was designed for HTTP headers, which isn't the way native apps usually interact.

--------------
Alan Karp

--

You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/cap-talk/CAGC3UEnpXbaHom3f2-gHtv05tPqJFjNtuF1a6ZjVKb%3Do%2BurMPg%40mail.gmail.com.

[John Carlson]

Electron is not really a “native app,” it’s based on Chromium.  VS Code is another example.   Sunrize is an Electron version of X_ITE, a 3D JavaScript based browser available on many web browsers.

You are correct, Electron is a native app, but so is a web browser.

I got feedback from the Sunrize author that putting JavaScript inside a X3D scene is very possible, now the question is how to direct a user to the correct socket.io server.  That’s what the metaserver is for, I just hope I can do it securely, like creating a registry of socket.io servers (at least dev and prod), that I can display in 3D (without HTML, just X3D) on the meta server site.

Imagine that a bunch of 3D graphics museums got together and wanted to schedule meetings at different online museums.  The metaserver would be the central access point for joining tours, scheduling presentations, etc.

John 

To view this discussion visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z2CdWjkzhSt%2BsnQ%3DSQ4sK%3D3CMPg6J7qwe%2B-247cwf-ayg%40mail.gmail.com.

[John Carlson]

Why I appreciate that specifications are important, I have severe comprehension issues (a comprehension deficit), involving TL;DR.  I did visit the RFC site, but even the TOC/table of figures was too long.  I will look for JavaScript implementations.

To view this discussion visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z28JknSnKrrG26g12BRLTsPrGNhNqHAt6XpaLXVkcAcUQ%40mail.gmail.com.

[John Carlson]

Okay, my next thought was to send socket.io connection strings (like host and port, plus and room/channel) through socket.io.  Hmm!  Not exactly capabilities.  But maybe a capability could be used to resolve the connection string?

John