Hi,
Would it be possible to arrange registration/login with LinkedIn? Some websites offer that possibility. Does anyone have experience with that?
Ad
On Aug 17, 2014 10:42 AM, "Ad Strack van Schijndel" < ad.strackvanschijndel@gmail.com> wrote:
Would it be possible to arrange registration/login with LinkedIn? Some
websites offer that possibility.
Does anyone have experience with that?
https https://developer.linkedin.com/documents/authentication:// https://developer.linkedin.com/documents/authentication developer.linkedin.com https://developer.linkedin.com/documents/authentication /documents/authentication https://developer.linkedin.com/documents/authentication says they support 2.0 and 1.0a.
https https://mediawiki.org/wiki/Extension:OAuth:// https://mediawiki.org/wiki/Extension:OAuthmediawiki.org https://mediawiki.org/wiki/Extension:OAuth/wiki/ https://mediawiki.org/wiki/Extension:OAuthExtension:OAuth https://mediawiki.org/wiki/Extension:OAuth says we support 1.0a. But I think we don't support your use case? i.e. we support registering client libs to use the API but not delegating login authentication top a 3rd party.
Nor sure if there are plans for that. But you're certainly welcome to write it yourself. :)
https https://mediawiki.org/wiki/Auth_systems/OAuth/Design:// https://mediawiki.org/wiki/Auth_systems/OAuth/Designmediawiki.org https://mediawiki.org/wiki/Auth_systems/OAuth/Design/wiki/ https://mediawiki.org/wiki/Auth_systems/OAuth/DesignAuth_systems https://mediawiki.org/wiki/Auth_systems/OAuth/Design/ https://mediawiki.org/wiki/Auth_systems/OAuth/DesignOAuth https://mediawiki.org/wiki/Auth_systems/OAuth/Design/Design https://mediawiki.org/wiki/Auth_systems/OAuth/Design
CC Chris who surely knows more about the status than I do.
-Jeremy, who personally would avoid using a site if that was their only auth option (but maybe you don't want to be exclusive, can't tell)
I don't know of an extension that does OAuth logins as a client, that would be compatible with Linkedin. I think there is an extension for Google login, which should be based on OAuth2/OIDC, which would probably work.
Extension:OAuth is for running an OAuth 1.0a server, which would allow other sites to use your wiki as the login provider. I've got an extension to do the client side, using mediawiki's identification extension, which I've been working on purely as a volunteer. I'll get that in an official repo sometime soon, since adapting it to Linkedin would be fairly easy (if you're ok solely relying on ssl for certain security aspects).
On Sun, Aug 17, 2014 at 9:12 AM, Jeremy Baron jeremy@tuxmachine.com wrote:
On Aug 17, 2014 10:42 AM, "Ad Strack van Schijndel" ad.strackvanschijndel@gmail.com wrote:
Would it be possible to arrange registration/login with LinkedIn? Some websites offer that possibility. Does anyone have experience with that?
https://developer.linkedin.com/documents/authentication says they support 2.0 and 1.0a.
https://mediawiki.org/wiki/Extension:OAuth says we support 1.0a. But I think we don't support your use case? i.e. we support registering client libs to use the API but not delegating login authentication top a 3rd party.
Nor sure if there are plans for that. But you're certainly welcome to write it yourself. :)
https://mediawiki.org/wiki/Auth_systems/OAuth/Design
CC Chris who surely knows more about the status than I do.
-Jeremy, who personally would avoid using a site if that was their only auth option (but maybe you don't want to be exclusive, can't tell)
We don't have the expertise to develop an extension for this, but would happy to sponsor development and/or help in testing.
Next to registration/login it would be nice if LinkedIn profile information could be transferred to the wiki.
What security aspects are you referring to?
Thanks! Ad
Op 18 aug. 2014, om 15:19 heeft Chris Steipp csteipp@wikimedia.org het volgende geschreven:
I don't know of an extension that does OAuth logins as a client, that would be compatible with Linkedin. I think there is an extension for Google login, which should be based on OAuth2/OIDC, which would probably work.
Extension:OAuth is for running an OAuth 1.0a server, which would allow other sites to use your wiki as the login provider. I've got an extension to do the client side, using mediawiki's identification extension, which I've been working on purely as a volunteer. I'll get that in an official repo sometime soon, since adapting it to Linkedin would be fairly easy (if you're ok solely relying on ssl for certain security aspects).
On Sun, Aug 17, 2014 at 9:12 AM, Jeremy Baron jeremy@tuxmachine.com wrote:
On Aug 17, 2014 10:42 AM, "Ad Strack van Schijndel" ad.strackvanschijndel@gmail.com wrote:
Would it be possible to arrange registration/login with LinkedIn? Some websites offer that possibility. Does anyone have experience with that?
https://developer.linkedin.com/documents/authentication says they support 2.0 and 1.0a.
https://mediawiki.org/wiki/Extension:OAuth says we support 1.0a. But I think we don't support your use case? i.e. we support registering client libs to use the API but not delegating login authentication top a 3rd party.
Nor sure if there are plans for that. But you're certainly welcome to write it yourself. :)
https://mediawiki.org/wiki/Auth_systems/OAuth/Design
CC Chris who surely knows more about the status than I do.
-Jeremy, who personally would avoid using a site if that was their only auth option (but maybe you don't want to be exclusive, can't tell)
_______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
On Mon, Aug 18, 2014 at 6:29 AM, Ad Strack van Schijndel ad.strackvanschijndel@gmail.com wrote:
What security aspects are you referring to?
OAuth itself is only meant for authorization, so if you make a call to find out information about the current user (it looks like linkedin encourages using https://api.linkedin.com/v1/people/~), that result is probably not signed by the server-- you just rely on ssl to ensure that you're talking to the right server and that no one has modified the api response since the server sent it. If you use OpenID Connect (or in mediawiki, we added a /identify feature), you get a signed assertion of the user's identity, which is more difficult for an attacker to forge, even for attackers who can mitm ssl.
If you know you've implemented the ssl certificate and hostname validation correctly in your client code correctly, TLS is sufficient, as long as you're not concerned with government-scale attackers.
mediawiki-l@lists.wikimedia.org