Dirk Krause kirjoitti: > from what I understood one the tricky parts is to implement openid in the > client, since from an openid standpoint you dont want the server to receive > username and password at all. after the negotiation between the client and > the openid provider there is some additional token sent to the server to > double check that this negotiation really happened. >
yes this is how it is in Rex, the viewer sends the token to the world server, never the user password, which it only sends to the user server (here: openid provider). ~Toni > -----Ursprüngliche Nachricht----- > Von: [email protected] im Auftrag von Toni Alatalo > Gesendet: Mo 23.02.2009 21:37 > An: [email protected] > Betreff: Re: [Opensim-dev] User Authentication > > Tommi Laukkanen kirjoitti: > >> I got promising link from yesterday from Ryan (sempuki): >> http://dev.aol.com/OpenidTokenExchange >> That seems to be developed to solve exactly this problem. First point >> of authentication fetches tokens from token >> > > yep and a token is also what the original / current rexserver uses for > the 'global avatar system' uses to address this issue. there the client > can connect to any world, tell who it is, pass a one-time(?) token > gotten from auth a second ago, which the world then uses to verify from > the auth the user uses (and the server has decided to trust). > > the plan is probably to switch to openid and that in Rex as well, i.e. > to 'standards instead of Finnish magic' (in J. Hurlman's words from the > other day :) . we did the mistake back then 1,5 years ago when worked on > rexauth that, when thought too much of avatars and other VW specific > stuff also, even though did realize that one part is only about > identity, failed to realize that openid would have helped (maybe the > token exchange wasn't there yet even, iirc it's more recent than oauth?) > .. also because the ppl who got the idea didn't know about openid i > guess (i didn't know much either so failed to make the connection). > > the other mistake i guess was that didn't consider how it could work > with the existing user server in opensim, i guess because we thought > that's somehow tied to the grid-bound auth used in SL and Opensim > otherwise (which Rex got rid of and instead has the independent auth > that can work for any grid or server, like openid). > > at least the guys did get it implemented quickly and afaik it has been > working ok since and kinda proves that model partly at least? > > and now it seems we have a chance to get it with standards and properly. > yay! > > >> Tommi >> > > ~Toni > _______________________________________________ > Opensim-dev mailing list > [email protected] > https://lists.berlios.de/mailman/listinfo/opensim-dev > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opensim-dev mailing list > [email protected] > https://lists.berlios.de/mailman/listinfo/opensim-dev > _______________________________________________ Opensim-dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/opensim-dev
