People are lazy. I wouldn't register at someone's website just for a small app, which keeps minimal personal data but still I wouldn't want someone to fake-login with my account and see this data.
There seems to be a misconception with the custom apps. The user should not be able to generate valid checksums.
One option is to use external authentication as before.
Another option could be to keep things as they are now for simple/small apps and at the same time add an "Advanced authentication" option. This option could work as follows:
1. User adds app and selects the "Advanced authentication (App needs to support this)".
2. Ryzom server tries to contact the app.
a)
3. Ryzom server submits an unique password (App URL + some unknown salt).
3. App saves this password.
4. Ryzom generates checksums based on this password.
5. App can verify data with that checksum while user can't generate valid checksums.
b)
3. Connection times out.
4. User receives an error message: App at http://xyz does not respond, please try again later.
5. App not added.
c)
3. App does respond but not the expected keyword. (ideally some header to save traffic/avoid downloading the body)
4. User receives error message: App at http://xyz does not seem to support the Advanced authentication.
5. App not added.
There seems to be a misconception with the custom apps. The user should not be able to generate valid checksums.
One option is to use external authentication as before.
Another option could be to keep things as they are now for simple/small apps and at the same time add an "Advanced authentication" option. This option could work as follows:
1. User adds app and selects the "Advanced authentication (App needs to support this)".
2. Ryzom server tries to contact the app.
a)
3. Ryzom server submits an unique password (App URL + some unknown salt).
3. App saves this password.
4. Ryzom generates checksums based on this password.
5. App can verify data with that checksum while user can't generate valid checksums.
b)
3. Connection times out.
4. User receives an error message: App at http://xyz does not respond, please try again later.
5. App not added.
c)
3. App does respond but not the expected keyword. (ideally some header to save traffic/avoid downloading the body)
4. User receives error message: App at http://xyz does not seem to support the Advanced authentication.
5. App not added.
---
