Authorization & RBAC System for VR Simulators
Virtual simulators for employee training require strict access control—without proper authorization, session data can be compromised. In corporate VR simulators and educational platforms, authorization is not optional. A trainee should not see colleagues' results. An instructor needs an overview of all sessions, and an administrator requires content management. And all this without a keyboard: in VR there is no native password input without removing the headset. Proper authorization saves up to 40% of administration time and reduces data leak risks. We solve this problem turnkey—from selecting the login method to embedding RBAC and integrating with corporate systems. With 5+ years in VR development, we have implemented over 20 projects with access control. We'll assess your scenario for free—just describe the requirements.
How to Organize Authorization in VR Without a Keyboard?
The main limitation is credential input. Quest.VirtualKeyboard (OpenXR Keyboard Extension XR_META_virtual_keyboard) solves this on Meta devices, but is missing on Pico or SteamVR. Alternative approaches:
-
PIN code on a virtual panel: 4–6 digits via
XRGrabInteractablebuttons—works on any OpenXR device (implementation takes 2 days). PIN authorization is 3x faster to implement than SSO and suits any headset. - QR authentication: the user scans a QR code from a phone or monitor via passthrough camera. Implemented using ZXing .NET or ML Kit on top of AR Foundation + Passthrough.
- SSO via companion app: a mobile app authorizes the user and passes a token to VR over the local network or deeplink.
- NFC/Proximity card: for stationary stands—USB-HID reader processed by a native plugin.
Comparison of methods:
| Method | Implementation speed | Security | Device compatibility |
|---|---|---|---|
| PIN code | 1–2 days | Medium | All OpenXR |
| QR authentication | 3–5 days | High | Quest, Pico (passthrough) |
| SSO via companion | 2–3 weeks | Very high | Any with Wi-Fi |
| NFC | 1 week | High | Stationary stands |
Step-by-Step Guide for PIN Authorization Implementation
- Create a virtual panel with buttons 0–9 using UI Toolkit or World Space Canvas.
- Implement button press handling via
XRGrabInteractablewith anonSelectEnteredevent. - Verify the entered PIN on the backend (or locally for offline mode).
- On success, store a JWT token in Android KeyStore (for Quest) or
ProtectedData(for Windows).
What the RBAC Model Solves in VR
For corporate VR platforms, we build RBAC with roles: Learner, Instructor, Admin, Guest. Each role defines:
- accessible scenes/modules (via
ScenePermissionScriptableObject) - permission to view other users' sessions
- right to reset progress
- access to real-time analytics
Role data is stored on the backend. The VR client obtains a JWT token upon authorization, decodes claims (role, allowed_modules[], organization_id), and builds a local permission cache. All checks go through a unified IPermissionService, not scattered if (isAdmin) in the code.
Example IPermissionService interface
public interface IPermissionService
{
bool HasPermission(string userId, string permission);
string[] GetRoles(string userId);
string[] GetAllowedModules(string userId);
}
For session token storage on the device: we use Android KeyStore (on Quest) or ProtectedData on Windows. Tokens are short-lived (8 hours) with silent refresh in the background.
Multi-user sessions (one Quest, multiple profiles)—our own implementation: avatar selection screen + PIN. Profiles are stored in Application.persistentDataPath/profiles/{userId}/ with AES-256 encryption (key from KeyStore). RBAC in VR reduces permission setup time by 50% compared to a flat role model.
Integration with Corporate Systems
Typical requirements: Active Directory / Azure AD (OAuth 2.0 + OpenID Connect), SSO with corporate portals, results export to LMS. We use xAPI (Tin Can API)—the standard for VR simulators. Each action ("actor completed scenario", "actor scored 85%") is sent as a Statement to an LRS. We implement this using TinCan.NET or a custom REST client. Integration with Keycloak for role management is also possible. Save up to 40% on integration thanks to ready-made authorization modules.
What's Included in the Work
- Authorization scheme: choose the method (PIN/QR/SSO) for your devices
- Permission Layer:
IPermissionService, RBAC model, unit tests - Backend integration: JWT, refresh flow, or IdP connection (Auth0, Azure AD B2C, Keycloak)
- Authentication: OAuth 2.0 and OpenID Connect setup
- Documentation: role descriptions, API endpoints, deployment instructions
- Testing: verification of all roles, expired token scenarios, penetration test of permission logic
- Support: 1 month of warranty support
Stages and Timelines
| System scale | Timeline |
|---|---|
| PIN authorization + 2 roles (local) | 1–2 weeks |
| JWT + RBAC + corporate backend | 3–6 weeks |
| SSO + AD + xAPI + multi-device | 2–4 months |
The cost is calculated individually after analyzing security and integration requirements. Contact us for a preliminary assessment—it will take no more than a day.
Guarantees and Support
Incorrect implementation of permission logic leads to data leaks or user lockouts. We guarantee correct authorization operation and secure token storage. 5+ years of experience, 20+ VR projects, certified Unity and Unreal engineers. Get a consultation—describe your requirements and we'll propose the optimal solution.





