If there are multiple identification sources, what about unicity of
usernames? i.e. who is User1 if it exists different people User1@OpenID
and User1@RADIUS? the first who registers on the wiki? or is it assumed
all User1 are the same people?
And if there is a rewrite of the auth, I want just point out that aside
authentications like OpenID, OAuth, local DB, there are also some
profesionnal authentication backend like Shibboleth, RADIUS, CAS, Kerberos
that should be taken into account for enterprise wikis (it should be
generic enough for these types of authentication).
Sébastien
Le Fri, 12 Oct 2012 04:35:07 +0200, Tyler Romeo <[email protected]> a
écrit:
I don't think it's possible, or even preferable, to do a rework.
AuthPlugin
is fundamentally flawed in its design and ExternalAuth is lacking in a
number of major features. What we need is a full-fledged authnz system.
Attached is a basic outline I've been developing recently.
The idea is a very rough draft, but it would allow:
- Multiple authentication sources working in tandem
- A separation of policy and implementation
- A separation of authentication and authorization
- A separation of MediaWiki logic and framework logic
- An arbitrary list of "user properties", so that frameworks can store
more than just email and real name if necessary
- An arbitrary "authentication data" array, so frameworks are not
required to stick to username/password.
- Permission-based blocking and role-based permissions
This could be used in combination with the FormSpecialPage-based
Special:Userlogin and Special:ChangePassword that are currently in Gerrit
to allow more comprehensive authnz frameworks.
*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | [email protected]
On Thu, Oct 11, 2012 at 7:48 PM, Ryan Lane <[email protected]> wrote:
On Thu, Oct 11, 2012 at 4:33 PM, Daniel Friesen
<[email protected]> wrote:
> I was thinking about this recently too. Though I started thinking from
the
> login form perspective.
>
> Things we should have:
> - Good build-in support for both single-authentication (everyone is in
the
> user database, or everyone in ldap, etc...) and multi-authentication
(some
> users are local, some are OAuth, others may be LDAP) and also the
> possibility of multiple auth types for one user.
> - A real abstract login form that lets extensions and auth systems
simply
> add fields to the login/creation form without having to re-implement
it
and
> not work with other similar extensions.
> -- Perhaps also some meta information from auth plugins that let us
say
on
> the login form that a wiki is using LDAP or something.
> - Explicit support for auth systems using something other than the
username.
> - Real support for auth systems involving a 3rd party. ie: Involving
> redirects such as OAuth, OpenID, and simple 3rd party login where the
login
> link directs you to the login page of some forum, you get sent back,
and
> somehow the extension knows what the session is.
> - Login form support for multiple authentication systems on the same
wiki,
> incl. support for OAuth and OpenID like logins.
>
> That last one was the tricky one to figure out.
>
Whatever is done, can it please be done as a refactor, rather than a
rewrite?
- Ryan
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
