I'm new on this list but found that the last thread about ExternalAuth [1] dated back from 2010 [2] but I thought it was acceptable to bring up the subject again :)
ExternalAuth should be dropped from core. It isn't maintained, it only supports a single type of authentication that's for something like phpbb, and it requires all of the authentication mechanisms to be in core.
AuthPlugin sucks too, but it's maintained, has lots of extensions, and the extensions can be outside of the core repo.
I'd love for someone to fix our authentication code. AuthPlugin itself isn't terrible, but it needs some refactoring. getCanonicalName, for instance, needs to burn in the fiery depths of hell it came from. Also, core developers tend to ignore that AuthPlugin exists, occasionally. For instance, when the preferences system was rewritten it just dropped all calls to AuthPlugin; that's never been fixed since then.
Bottom line: we need to give a crap about auth plugins in general. It falls by the way side since we don't seem to care much about third party users, though.
- Ryan