[Opensim-dev] User Authentication

Toni Alatalo antont at kyperjokki.fi
Mon Feb 23 20:54:26 UTC 2009 

Dirk Krause kirjoitti:
> from what I understood one the tricky parts is to implement openid in the client, since from an openid standpoint you dont want the server to receive username and password at all. after the negotiation between the client and the openid provider there is some additional token sent to the server to double check that this negotiation really happened.
>   

yes this is how it is in Rex, the viewer sends the token to the world 
server, never the user password, which it only sends to the user server 
(here: openid provider).

 ~Toni
> -----Ursprüngliche Nachricht-----
> Von: opensim-dev-bounces at lists.berlios.de im Auftrag von Toni Alatalo
> Gesendet: Mo 23.02.2009 21:37
> An: opensim-dev at lists.berlios.de
> Betreff: Re: [Opensim-dev] User Authentication
>  
> Tommi Laukkanen kirjoitti:
>   
>> I got promising link from yesterday from Ryan (sempuki):
>> http://dev.aol.com/OpenidTokenExchange 
>> That seems to be developed to solve exactly this problem. First point 
>> of authentication fetches tokens from token
>>     
>
> yep and a token is also what the original / current rexserver uses for 
> the 'global avatar system' uses to address this issue. there the client 
> can connect to any world, tell who it is, pass a one-time(?) token 
> gotten from auth a second ago, which the world then uses to verify from 
> the auth the user uses (and the server has decided to trust).
>
> the plan is probably to switch to openid and that in Rex as well, i.e. 
> to 'standards instead of Finnish magic' (in J. Hurlman's words from the 
> other day :) . we did the mistake back then 1,5 years ago when worked on 
> rexauth that, when thought too much of avatars and other VW specific 
> stuff also, even though did realize that one part is only about 
> identity, failed to realize that openid would have helped (maybe the 
> token exchange wasn't there yet even, iirc it's more recent than oauth?) 
> .. also because the ppl who got the idea didn't know about openid i 
> guess (i didn't know much either so failed to make the connection).
>
> the other mistake i guess was that didn't consider how it could work 
> with the existing user server in opensim, i guess because we thought 
> that's somehow tied to the grid-bound auth used in SL and Opensim 
> otherwise (which Rex got rid of and instead has the independent auth 
> that can work for any grid or server, like openid).
>
> at least the guys did get it implemented quickly and afaik it has been 
> working ok since and kinda proves that model partly at least?
>
> and now it seems we have a chance to get it with standards and properly. 
> yay!
>
>   
>> Tommi
>>     
>
>  ~Toni
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>

More information about the Opensim-dev mailing list