Jump to content
PLEASE READ - Webmaster Support Forum
This forum will be retired in the near future. Please direct all queries to our dedicated GitHub support page https://github.com/vatsimnetwork/developer-info/discussions 
Here you can find documentation on our services and we are continuing to migrate pertinent information into the Wiki pages https://github.com/vatsimnetwork/developer-info/wiki

VATSIM Pilot Rating Program


Recommended Posts

Gentlemen,

 

Now that we have officially started this program with VATCAN as the first official ATO, I wanted to know what your thoughts are about having VATSIM as the central login point for our members, and then giving them a list of official training facilities, instead of everyone reinventing the wheel for authentication not to mention the forum confusion trying to keep the list updated.

 

The reason I bring this up is a recent issue from a few members that were getting 404's after they submitted the registration form from VATCAN. I realize that there are several HTML errors on their page and I would guess if the browser uses a different ch[Mod - Happy Thoughts]t other than UTF-8, it would be questionable what POST data is p[Mod - Happy Thoughts]ed to the server, but that's for Shawn F to worry about (sorry Shawn)!

 

However one thing that really concerns me is the actual registration process. I believe most members are concerned about having to enter their VATSIM p[Mod - Happy Thoughts]word into a different website other than VATSIM for this (as I'm I). Personally, I would like to see a link on the VATSIM home page where the member can login safely and then would be offered a choice of participating ATO's, (updated by VATSIM) which could launch them to the appropriate websites via hashed URL via GET.

 

Here are my thoughts about making this work seamlessly:

 

1. User connects to VATSIM.NET and sees the option for Pilot Training and selects it.

 

2. VATSIM prompts them for their CID and p[Mod - Happy Thoughts]word or gives them an option to sign-up to VATSIM.

 

3. After the member is authenticated a list of active ATO’s is presented in a list.

 

4. When the user selects an ATO, the VATSIM server sends a GET request to the participating website with a hashed URL consisting of the users CID and p[Mod - Happy Thoughts]word (or optionally a random hash code that would need to be saved in the VATSIM members table).

 

5. The ATO’s website would then translate the hash and would “query” the VATSIM database to check their pilot status (I would go this extra step to ensure these guys are not running multiple instances of VATSIM or the ATO’s site) and then the ATO’s database could display their ratings, and offer them the approved tests.

 

6. As there are many options for training and testing that should be at the discretion of the ATO, however should the ATO use an automated upgrade process or a manual one, the score or P[Mod - Happy Thoughts]/FAIL results would be sent back to VATSIM again using a simple hash.

 

7. Finally the member needs to be informed of the results of the test ASAP, as we all know our members live for instant gratification.

 

 

I would recommend against NOT integrating our websites with VATSIM, because if we have multiple database’s floating around, and should someone with the authority to manually change the members status was not available, or their database smoked out, then we are reading many more posts about pissed off pilots.

 

Just my .02!

Gerry Hattendorf

ZLA Webmaster

VATSIM Supervisor

Link to comment
Share on other sites

Gerry,

 

I don't know what vatcan are doing but imagine they are using the credentials afforded by VATSIM.net to do this.

 

Basically the login simply confirms against cert - it isn't against their own database. Once confirmed, they can do what they want but don't have access to a user's p[Mod - Happy Thoughts]word.

Norman

sig_FSLBetaTester.jpg

Link to comment
Share on other sites

Right now all the ability to check member credentials and increase ratings, without needing their pw, is available in the CERT front end built for us by Mike. Nothing else is needed to do this job, we just get enamored with automation which is fine but not a priority for our coding staff. Mike will send a hit man to rub me out if I sign him up to have to work with dozens of ATO's, especially non VATSIM sites, to get some automation of theirs working for a nice to have feature instead of a must have feature.

 

VATCAN validates member info because they can (well, NA members right now but they are trying to expand that) but I doubt we'll extend this functionality to VA ATOs, i.e., non VATSIM 'property', any time soon. We just don't have the resources at that level at this time.

 

There is only one db for tracking ratings and that is within CERT, and it is not shared with anyone although ATOs have access to it to make changes. We don't track test scores in the db, just when a rating is issued. We require ATOs to maintain records for the tests and their data security plan is part of the application process.

 

All this learning! Such fun!

Kyle Ramsey

 

0

Link to comment
Share on other sites

Basically the login simply confirms against cert - it isn't against their own database. Once confirmed, they can do what they want but don't have access to a user's p[Mod - Happy Thoughts]word.

 

I wouldn't make this [Mod - Happy Thoughts]umption; it appears that the p[Mod - Happy Thoughts]word is being stored since I use it again to log back in. I can change it, but I require my existing VATSIM p[Mod - Happy Thoughts]word to do so, after which I can use the new p[Mod - Happy Thoughts]word.

 

Now it's entirely possible that VATCAN has made a dual-track authentication system where they only store p[Mod - Happy Thoughts]words once they have been changed and until that point handle logins against CERT, but the simplest explanation is that they are validating, then saving, the p[Mod - Happy Thoughts]word.

 

Cheers!

 

Luke

... I spawn hundreds of children a day. They are daemons because they are easier to kill. The first four remain stubbornly alive despite my (and their) best efforts.

... Normal in my household makes you a member of a visible minority.

Link to comment
Share on other sites

Basically the login simply confirms against cert - it isn't against their own database. Once confirmed, they can do what they want but don't have access to a user's p[Mod - Happy Thoughts]word.

 

I wouldn't make this [Mod - Happy Thoughts]umption; it appears that the p[Mod - Happy Thoughts]word is being stored since I use it again to log back in. I can change it, but I require my existing VATSIM p[Mod - Happy Thoughts]word to do so, after which I can use the new p[Mod - Happy Thoughts]word.

 

Now it's entirely possible that VATCAN has made a dual-track authentication system where they only store p[Mod - Happy Thoughts]words once they have been changed and until that point handle logins against CERT, but the simplest explanation is that they are validating, then saving, the p[Mod - Happy Thoughts]word.

 

Cheers!

 

Luke

 

But surely provided the p[Mod - Happy Thoughts]words are encrypted, this isn't a problem?

 

When CERT goes offline, the UK goes offline (website wise) since everything authenticates against CERT; and CERT has been down a fair bit in the past 6 months through nobody's fault, but it's still a pain!

 

Regards,

A...

0
Link to comment
Share on other sites

Sorry gents, but my suggestion was aimed at the VATSIM programmers. As I don’t have access to the docs about the CERT interface, I’m talking blind here. However if I can share my “vision” as to make this a seamless and successful program, we need to standardize the host interface (VATSIM) and the client interface (the authorized ATO’s).

 

At the highest level, please consider these ideas to make new ATO’s come online with a minimum of VATSIM admin work and virtually zero coding time;

 

First from the VATSIM (server) side of things;

1. A Pilot Cert page from the VATSIM.NET domain is created that prompts the member to login and authenticates their credentials.

2. After VATSIM authentication the member is presented with a list of approved ATO’s.

3. The member is redirected to the different domain, p[Mod - Happy Thoughts]ing a hashed CID to the ATO’s “cert” page and perhaps a VATSIM “ATO_ID”.

 

Then the ATO website would retrieve the POST or GET data from VATSIM and decode the ATO_ID, CID, and RATING. At this point the ATO’s training program can do whatever they want in terms of training, but would need to decide if this test is automated, or graded manually.

 

Whatever the ATO site decides, they still need to get back to VATSIM to perform a rating change. So simply from the ATO side, all they need to send back to VATSIM is;

 

1. When the ATO’s logic has determined they have p[Mod - Happy Thoughts]ed to a new level, a POST is sent back to VATSIM with the CID, ATO_ID, rating change, and optionally the date/time change, and ATO that made the change. The results of this transaction could be send back with a status code for the ATO website to display, or could be redirected back to VATSIM for status code handling.

2. The member would still stay at the current URL, should they want to take any additional tests or ratings.

 

I’m not posting to toot my own horn, but to get the ideas out of our web developers to come to the table if you have other ideas or options!

 

I think this idea is one of the best ideas I’ve seen since I’ve been here, and I would like to offer any [Mod - Happy Thoughts]istance to make sure this succeeds!

 

Gentelemen!

Gerry Hattendorf

ZLA Webmaster

VATSIM Supervisor

Link to comment
Share on other sites

VATCAN validates member info because they can (well, NA members right now but they are trying to expand that) but I doubt we'll extend this functionality to VA ATOs, i.e., non VATSIM 'property', any time soon. We just don't have the resources at that level at this time.

 

But as you say, you already have the API. It's not like it's any more work to let other people use it without support, any more than letting a new FIR or ARTCC have access to it.

 

As I've said before, this capability isn't absolutely required for us as an ATO to effectively fill our role. I'm interested in it and gently pushing because it and the ATO concept really challenges VATSIM to make the term "partner" something meaningful. I really think that if you want to expand the ecosystem, you need to stop making the ATC organizations first-cl[Mod - Happy Thoughts] citizens relative to everyone else. At the end of the day, the only difference between VATCAN and a VA (or an ATO that isn't a VA or FIR) is just a VATSIM title. VATCAN isn't really a VATSIM property in the sense that you don't control the content, the domain or the hardware.

 

Sorry gents, but my suggestion was aimed at the VATSIM programmers. As I don’t have access to the docs about the CERT interface, I’m talking blind here. However if I can share my “vision” as to make this a seamless and successful program, we need to standardize the host interface (VATSIM) and the client interface (the authorized ATO’s).

 

I believe there's good value in creating a VATSIM-wide SSO scheme, where VATSIM can authenticate users without them providing their credentials to the external site. I've worked with a number of SSO schemes where authentication was centralized but external sites had the capabilities to validate tokens generated by the central site, using public/private-key encryption. The idea is that VATSIM can provide a signature to a user ID which an external site can validate without that site ever seeing the CID/PWD combination.

 

Cheers!

 

Luke

... I spawn hundreds of children a day. They are daemons because they are easier to kill. The first four remain stubbornly alive despite my (and their) best efforts.

... Normal in my household makes you a member of a visible minority.

Link to comment
Share on other sites

 

I believe there's good value in creating a VATSIM-wide SSO scheme, where VATSIM can authenticate users without them providing their credentials to the external site. I've worked with a number of SSO schemes where authentication was centralized but external sites had the capabilities to validate tokens generated by the central site, using public/private-key encryption. The idea is that VATSIM can provide a signature to a user ID which an external site can validate without that site ever seeing the CID/PWD combination.

 

 

Such a scheme already exists, sites like Vataware & others use it.. I'll be looking to expand this in the future, Luke, contact me.. you know how

Mike Evans

Link to comment
Share on other sites

  • 3 months later...
Such a scheme already exists, sites like Vataware & others use it.. I'll be looking to expand this in the future, Luke, contact me.. you know how

 

I think I've reached the point where I'm ready to proceed on this, and there's also an idea I want to run by you. I'll ping you today.

 

Cheers!

 

Luke

... I spawn hundreds of children a day. They are daemons because they are easier to kill. The first four remain stubbornly alive despite my (and their) best efforts.

... Normal in my household makes you a member of a visible minority.

Link to comment
Share on other sites

 Share

×
×
  • Create New...