Untrusted authorization for web services.

[mike]

Currently, the web services require a connection to an auth service in order to authorize users. This also means that the user's username and password go through those servers. It would be nice to let random people run web services that somehow cross authenticate to MV3D's login server.

[mike]

One possible idea is to do the following:

1. Untrusted user hits untrusted server's web interface.
2. Untrusted server redirects to the login url on the login server with the following post args

       foreignSession = the session on the untrusted server
       redirectURL = the URL on the untrusted server to redirect to after logging in
   

3. The login server authenticates the user, runs createPasswords using the foreignSession and then redirects to the redirectURL/login with these args:

       username = the logged in user name
       password = the user password created via createPasswords
   

4. The untrusted server calls getLoginInfo on the login server to retrieve the passwords and verifies them before logging the user in.

The only thing missing is allowing the client to verify the identity of the untrusted server. One way to do this would be to use the client verification password to come up with an image to show the user before redirecting back to the untrusted server. The untrusted server would then use the same algorithm to show the same image. Could also do the same thing with just the password itself, but that would be hard for users to remember.