non-standard login mechanism

SignpostMarv Martin signpostmarv.martin at slopenid.net
Mon Nov 17 01:46:54 UTC 2008


Just polling for feedback on a bit of a non-standard login mechanism 
I've implemented on my site(s).


1) a user logs into Second Life, and clicks a kiosk to get a nonced URL.
2) the user gets a fairly standard OpenID form, submitting their OpenID 
(I'm using the Zend libraries, btw)
3) once successfully logged in via OpenID, the endpoint and avatar UUID 
are recorded in a db table
* after this point, the OpenID url will never be entered again (unless 
the user wishes to change their OpenID, or perhaps for circumstances 
where an additional security/paranoia requirement is desired)
4) the user visit a SLOpenID v3-enabled website, entering their Second 
Life avatar name
5) the code checks if the name is valid, on file, and if it has an 
OpenID associated
6) the code then automagically submits the OpenID that is on file to the 
Zend libs (as opposed to accepting a POST or GET value)


Do note that Linden Lab don't (currently) have an OpenID provider, and 
since I retired SLOpenID v2, I don't believe there are any that cater 
solely to Second Life Residents- though there isn't really much point in 
it any more, considering flickr, live journal and blogger all act as 
providers (all of which are used by Second Life Residents to varying 
degrees).


The purpose of only using the Second Life name is three-fold:

1) Residents are familiar with entering their SL name (in either 
first/last format or a single string) in several places throughout 
Linden Lab's presence (viewer, websites)
2) To strive for a possible standardisation across SL-centric websites, 
increasing people's awareness of possible phishing attacks (see footnote)
3) To strive for a possible learned behaviour of passwordless, 
transparent OpenID logins in Second Life viewers (OpenID is mentioned as 
a possibility for OGP logins)


So my question is this: Is using OpenID without the user entering the 
actual OpenID url breaking the spec ?


~ Marv.


*phishing footnote
If there are no passwords entered on a SLOpenID v3-enabled website, 
there is no risk of the maintainer of said site being accused of 
manipulating users so that they can collect the actual Second Life 
passwords. If the SLOpenID v3 method were to become commonplace amongst 
SL-centric websites, otherwise-uninformed users (e.g. those that use 
SL-centric services) would be immediately less trusting of phishing 
sites that specifically target SL users (e.g. OH HAI! U CAN HAS FREE L$ 
IF U ENTER UR PASSWORDS! KTHXBAI MUAHAHAHA)


p.s. this email has been BCC'd to the OpenID mailing list and LL peeps, 
just in case you're wondering why the text of the email is rather verbose.




More information about the specs mailing list