Authentication in MV3D

MV3D uses a pluggable authentication system. Credentials are specified in ServiceLoc's. They should be specified as login:password directly after the protocol definition. Example:

pb://admin:pass@localhost:1999/Asset

The authentication method is added after the username, seperating the two by a comma:

pb://admin,local:pass:1999/Asset

If unspecified, it defaults to "service". There are currently two authentication plugins available. They are: service and local. "service" is short for Login Service as this authentication method uses the Login service in order to authenticate. This method is fairly similar to OAuth or Kerberos. It is mainly intended for use with servers that join the MV3D platform in order to allow users registered with MV3D to log in to them. The login service authentication uses a third party server in order to authenticate. The general steps that are involved are as followed:

1. The client contacts the login server and authenticates.
2. The login server passes the client an authentication token, which is keeps for a short period of time.
3. The client then connects to the target server and passes its username and the authentication token from the login server.
4. The target server connects to the login server and retrieves the authentication token. This invalidates the token on the login server.
5. If the authentication token matches what the client passed in, the user is authenticated successfully.

In order to successfully authenticate, both the client and server must agree on the login service. The benefit of this method is that the target server can be untrusted as it never receives the user's password.

The "local" authentication is quite a bit simpler. It should only be used in low security situations. In this method, a list of users and passwords is added to the config file. Since these passwords are stored in plain text in the config file and also in memory.