Authentication (Probe?) Proof of Concept

[MarcusLongmuir]

No description provided.

[0xm1kr]

Hey @MarcusLongmuir! Has any work been done on this? We're interested in helping out on it but could use a bit of direction to be sure we're thinking about it the right way.

[MarcusLongmuir]

Hey @0xm1kr. I’ve just started doing some prototyping on this. I’ve got a few different approaches to explore, but having some use cases (and also any concerns or whole concepts) would help.

I’m currently leaning towards having an identity be created and managed by the world and then be able to consistently provide that to documents and then the MML document can augment that authentication session with additional scopes and access by having the user open popups to communicate semi-directly with the document.

One of the key constraints with building a system like this is that the websocket connection to the MML document is observed and usable by the world client so it’s up to the user to trust that client is going to do the right thing with that connection if they authorize it and likely limit what that connection can do based upon risk tolerance.

[0xm1kr]

Hey @MarcusLongmuir, thanks for the context. Sure thing, I'll outline our use case below and some thoughts we had on auth in general for MML / M^2 worlds.

---

Use Case
At other.page we've created a platform for users to manage their avatars, then using a custom connect solution built on top of connectkit apps and games can connect their users and pull in information about their web3 identity (delegated/linked wallets, held tokens, on-chain badges, etc.).

We're currently working with Directive Creator to add one of our earnable badges into Construct so that you could join Construct as your avatar and collect the badge. It would then show up directly on your other.page avatar profile.

Within the badge MML, we want to make an API request to award the badge to the avatar that "collided" with it or "clicked" it.

Initially, our plan was to have an authenticated MML URL that can only be copied by our logged in users from within our app. This MML URL would contain the <m-character> with an attribute (maybe an arbitrary "data" attribute) that contained a session ID (e.g. <m-character data="{sessionId}">). Then, when a click or collision occurred between the authenticated <m-character> and the mml badge object, we could pull the data="{session id}" from the mElement and pass it to our other.page API to validate and assign the badge.

The issue is, we would need to add this attribute and the ability for the MML badge object to retrieve it from a RemoteEvent, which does not currently exist. We've been messing with the Character class in MML web to add a data attribute and are close but haven't quite figured it out.

---

Auth

When it comes to auth for m^2 worlds, it would be great if the system could be fairly open / extensible. This way apps like ours can provide deep Web3 context to MML and worlds, without the user having to login multiple times with multiple different credentials for every experience.

That said, as you mentioned it's tricky to know if we can trust the client, but if the MML url that the user is inputing for their avatar is already authenticated, our thought was that could be a start. Our connect solution could also be a potential general solution for Web3 focused MML experiences, so definitely something we'd like to discuss further if there is interest.