Let's decide who will handle the authentication process:

1. The service.
OR
2. The client/user.

(1) means that an OT service will expect only a valid OpenSSO token
with each request. It will be up to the user to acquire such token:
whether by directly communication with the OpenSSO server or via some
client application.

(2) means that an OT service will expect username and password
provided with each request. It will then try to get a valid token from
OpenSSO, and if that fails, will have to report back to the user.
Obviously, this relieves the client applications from the burden of
authentication, but at the expense of increased service complexity.
Furthermore, the services still have to be able to parse requests
accompanied by a token (as opposed to username/password), because
that's how cascading requests (from one service to another on behalf
of a user) work.

Please keep in mind as well that whoever does the authentication must
also handle log-out.

Cheers,
Luchesar