The problem is that both AuthPlugin and ExternalAuth are pretty hacked together authentication system and both should be tossed in the garbage and replaced with a legitimately designed authnz system.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | [email protected] On Thu, Oct 11, 2012 at 9:48 AM, Raphaël Droz <[email protected]>wrote: > Hi, > > I'm new on this list but found that the last thread about ExternalAuth [1] > dated back from 2010 [2] but I thought it was acceptable to bring up > the subject again :) > > > Stated simply: many AuthPlugin modules stick to using "External > Sessions" for SSO purpose and only implement the "UserLoadFromSession" > hook. They don't bother implementing a "true" authentication plugin. > In such a case [3] this is often incompatible with the use of MW XML API. > > ExternalAuth provides a clean API for this which even appears to be > used by the MW code-base itself: > in SpecialUserlogin.php: > > function authenticateUserData() { > > [...] > > $this->mExtUser = ExternalUser::newFromName($this->mUsername); > > [...] > > $this->mExtUser->authenticate($this->mPassword); > > The issue here is that a regular AuthPlugin (a class implementing > AuthPlugin) is still needed, at the very least because soon after > happens an unconditional call to: > > $u->checkPassword(). > [ and User::checkPassword() only uses $wgAuth ] > > > questions: > 1) if ExternalAuth->authenticate() succeeded why do we needed > User::checkPassword() ? It seems like this is an unneeded duplicated > check ? > > 2) User::checkPassword() makes no consideration for ExternalAuth: it > always use $wgAuth and only $wgAuth. > => 2.1) does it mean that an AuthPlugin *must* be associated to each > ExternalAuth extension ? > => 2.2) or does it mean that User::checkPassword() should be fixed to > call authenticate() from the proper class (either AuthPlugin or > ExternalAuth) ? > > If the answer to 2.1 is "yes", then another question arises: > 2.1.1) how to access and make use of the ExternalAuth object ($mExtUser > in LoginForm) from $wgAuth->authenticate() so that it's not necessary to > duplicate code among both classes ? > > I attached to pseudo-patch to workaround what is problematic to me. > > > > thank you in advance for your answers. > > > > > footnotes: > > [1] http://www.mediawiki.org/wiki/ExternalAuth > [2] > http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/48044 > > http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/47710 > [3] I personally keep in mind the case of AuthDrupal: > http://www.mediawiki.org/wiki/AuthDrupal > https://drupal.org/project/mediawikiauth > https://gitorious.org/drzraf/drupal-mediawiki/commits/custom > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
