OAuth2 Integration

[sirkitree]

Request

Grant addition access rights and application permissions to my Patrons so that my Patrons can access more of my work in Neos VR and engage in more of my applications.

Background

Currently there is a way to set permissions on a world orb to 'Patreon Only'. I believe this functionality ensures that Neos VR users who are subscribed to the Neos VR Patreon can open these orbs.

I envision a similar system that would allow me to hook up this option (and other options, perhaps through LogiX) to my own (or other's) Patreon account so that if a Neos VR user was a patron of mine, they would then be able to access new areas, items, and information in my Neos VR worlds.

Scenario

• Jim signs up through Patreon.com to support sirkitree as a patron
• When Jim enters one of sirkitree's worlds in Neos VR he can now
  • access additional worlds orbs scoped to sirkitree's patrons
  • get greeted with custom messaging upon entering
  • access patron-only items created by sirkitree for his patrons
  • access patron-only information that sirkitree deems to be patron-only

Scope

This request is currently scoped to Patreon, as there is already some current integration within Neos for this and I think it wouldn't be too far of a stretch. I do think that users might eventually want to hook up such a system to their own authentication systems so it may be worth thinking about a more generalized solution.

[Frooxius]

Hmm this could potentially be done, but it's quite involved. The Neos' existing integration cannot be used for this, that's specifically written just for Neos Patreon.

What might be a better solution is providing a way to authenticate users to 3rd party (OAuth2 likely), so you could link their Neos account to your service and then you link Patreon yourself on your end.

A tighter integration with Neos might be done, but I'm not sure when that would get prioritized given the work involved (plus it would require regular service on Neos cloud infrastructure).

[sirkitree]

OAuth2 integration would be most useful in Neos as it's a difficult piece to implement given the tools we currently have. It would allow us to authenticate to a lot of various data sources, since it's a pretty widely used standard these days. I'll update the title of the Issue.

[Frooxius]

Oh yeah OAuth2 would definitely be much better choice, as it's more generic solution that would let you build your own.

I'll have to look into this to see how much is involved though, so not sure about the timeline yet, but definitely want to add this one.

[sirkitree]

Another good use case for this is going to be GitHub. I'd like to start using GitHub projects to correspond to my open source projects within Neos. By having OAuth2 integration, we can connect easier to the GitHub API, allowing users to log issues directly from within Neos. This seems immediately useful to this particular issue queue as well as setting forth a more sustainable way of supporting projects (Tools and Environments) within Neos. Then issues could also be shown in-world as well, in which we can provide an alternative UI for GitHub; submitting and reading issues.

For instance, in creating a tool, I'll give it an 'about' modal that talks about how it was made, by who, request tips, and point to a project on GitHub in which the user can report bugs and feedback allowing me to better communicate with users of the application and coordinate efforts with other developers who may want to contribute to the project.

For now, I can just link to an issue queue, pop it up in a user's browser, and let them know to look on their desktop screen, but striving for first-class integration.

[JackTheFoxOtter]

I think the topic of OAuth2 should also be considered for headless instances / servers. This would allow a generalization of "something that controls a Neos account", which might be a headless server, or some other future system. (Possibly the dedicated chat companion app for mobile #156?)

This will also improve security since the user in the account itself could specify what permissions different applications have, and which parts of the Service they can access. For example one might want the headless server to have access to world hosting / session starting, but not access to read chat messages, look through the user inventory or trigger NCR transactions. It would also eliminate the need for having a second account only for the headless server since users could authenticate a headless server from their main account.

Once 2FA gets implemented (#206) this will also serve as an additional security feature for headless servers, since those wouldn't be able to make use of 2FA if they get automatically rebooted / started / stopped (i.e. logged in) by the dedicated server they are running on.

[shiftyscales]

As mentioned in the patch notes for 2021.4.24.620:

One of the major additions is that our cloud backend now supports OAuth 2.0! This has a whole bunch of preliminary work and there's still a bunch to do, but the basics are there now and can be built upon. Currently the registrations are on manual approval, we'll have more formal process once it's further developed.

• Implemented OAuth 2.0 support to Neos cloud service, allowing granting limited access to your Neos account to external services (requested by @ Geenz | Graphics Programmer on behalf of VBLFC, also based on request by @ Avinash | WeMakeVR for the Metamovie project and other requests in the past) -- A brand new ASP.Net Core based website has been implemented for the Neos Cloud backend, currently available at https://cloudx-account.azurewebsites.net/, but only provides basic login and password changing functionality -- Currently Authorization Code Flow is implemented (thanks to suggestions and advice from @ ProbablePrime) -- Registering applications is currently on manual approval only. If you'd like to start building applications, contact us with details. You can reach out at hello@neos.com for now. -- Only basic profile information is currently available, with more scopes and features to come over time