[Wikitech-l] ExternalAuth and AuthPlugin relationships

Thu, 11 Oct 2012 06:48:40 -0700 

Hi,

I'm new on this list but found that the last thread about ExternalAuth [1]
dated back from 2010 [2] but I thought it was acceptable to bring up
the subject again :)


Stated simply: many AuthPlugin modules stick to using "External
Sessions" for SSO purpose and only implement the "UserLoadFromSession"
hook. They don't bother implementing a "true" authentication plugin.
In such a case [3] this is often incompatible with the use of MW XML API.

ExternalAuth provides a clean API for this which even appears to be
used by the MW code-base itself:
in SpecialUserlogin.php:
>   function authenticateUserData() {
>    [...]
>    $this->mExtUser = ExternalUser::newFromName($this->mUsername);
>    [...]
>    $this->mExtUser->authenticate($this->mPassword);

The issue here is that a regular AuthPlugin (a class implementing
AuthPlugin) is still needed, at the very least because soon after
happens an unconditional call to:
> $u->checkPassword(). 
[ and User::checkPassword() only uses $wgAuth ]


questions:
1) if ExternalAuth->authenticate() succeeded why do we needed
User::checkPassword() ? It seems like this is an unneeded duplicated
check ?

2) User::checkPassword() makes no consideration for ExternalAuth: it
always use $wgAuth and only $wgAuth.
=> 2.1) does it mean that an AuthPlugin *must* be associated to each
   ExternalAuth extension ?
=> 2.2) or does it mean that User::checkPassword() should be fixed to
   call authenticate() from the proper class (either AuthPlugin or
   ExternalAuth) ?

If the answer to 2.1 is "yes", then another question arises:
2.1.1) how to access and make use of the ExternalAuth object ($mExtUser
in LoginForm) from $wgAuth->authenticate() so that it's not necessary to
duplicate code among both classes ?

I attached to pseudo-patch to workaround what is problematic to me.



thank you in advance for your answers.




footnotes:

[1] http://www.mediawiki.org/wiki/ExternalAuth
[2] http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/48044
    http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/47710
[3] I personally keep in mind the case of AuthDrupal:
http://www.mediawiki.org/wiki/AuthDrupal
https://drupal.org/project/mediawikiauth
https://gitorious.org/drzraf/drupal-mediawiki/commits/custom

_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply via email to