Identity linking

Hey everyone, recently hacked together an MVP for associating someone’s Gather identity with outside identities, so you can do stuff like

  • confine people to a certain area unless they have a certain discord role
  • set peoples’ avatars based on what NFTs they have or something
  • etc

tl;dr: lets Gather users tell external apps what their gather id is, so those apps can know you’re you when you’re in a Gather space. This works with a simple redirect to your site with their uid in the url params

full docs here

5 Likes

Uuuuhhhh I love this :love_you_gesture: I identified the user with the help of the WebsocketAPI … “who was the last user interacting with this ObjectId” … it was a bit of a hack, but it worked stable.

Now I have a direct way to identify the user! Thanks a lot :pray: Time 4 refactoring :sunglasses:

1 Like

Works like a charm! Thank you :pray:

Current security check is very simple → if the playerId is currently active on the server

2 Likes

Ok it’s sadly not working anymore with an iframe. First I had to CSP frame-src gather and some other sites, but then it didn’t work with frame-ancestors any more :frowning:

I fixed my project with an button which opens the link in a new tab with autoclose.

I would really like to show this in an iframe if this would be possible again

Woahs - What’s this? What are you specifically trying to accomplish?

Let me ping internally - RE this iframe question

The project is simple: A bot sends alarms (5min prior to our scrum rituals) to players and they can switch the alarms on and off.

What I did is load as an embedded website the configuration on/off, but I don’t know which player is doing this. To identify the player (by cookie) I use the Identity Linking.

If the player was unknown by the system a popup with an iframe was created and I loaded https://gather.town/getPublicId?... It worked for a while, but now:

Refused to frame 'https://app.gather.town/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self' native.fm www.native.fm rtr-web.herokuapp.com venue.virtualchair.net meetingland.de www.meetingland.de uncork-it-gather.com escape.uncork-it.com".

Yeah seems like we had to disable this from working because of though considerable security concerns it raised :confused:

1 Like

Thank you for your answer :+1: It does work with the “not so fancy way”, so I am happy that it I can identify user in the end!