Hi,
I'm new on this list but found that the last thread about ExternalAuth [1] dated back from 2010 [2] but I thought it was acceptable to bring up the subject again :)
Stated simply: many AuthPlugin modules stick to using "External Sessions" for SSO purpose and only implement the "UserLoadFromSession" hook. They don't bother implementing a "true" authentication plugin. In such a case [3] this is often incompatible with the use of MW XML API.
ExternalAuth provides a clean API for this which even appears to be used by the MW code-base itself: in SpecialUserlogin.php:
function authenticateUserData() { [...] $this->mExtUser = ExternalUser::newFromName($this->mUsername); [...] $this->mExtUser->authenticate($this->mPassword);
The issue here is that a regular AuthPlugin (a class implementing AuthPlugin) is still needed, at the very least because soon after happens an unconditional call to:
$u->checkPassword().
[ and User::checkPassword() only uses $wgAuth ]
questions: 1) if ExternalAuth->authenticate() succeeded why do we needed User::checkPassword() ? It seems like this is an unneeded duplicated check ?
2) User::checkPassword() makes no consideration for ExternalAuth: it always use $wgAuth and only $wgAuth. => 2.1) does it mean that an AuthPlugin *must* be associated to each ExternalAuth extension ? => 2.2) or does it mean that User::checkPassword() should be fixed to call authenticate() from the proper class (either AuthPlugin or ExternalAuth) ?
If the answer to 2.1 is "yes", then another question arises: 2.1.1) how to access and make use of the ExternalAuth object ($mExtUser in LoginForm) from $wgAuth->authenticate() so that it's not necessary to duplicate code among both classes ?
I attached to pseudo-patch to workaround what is problematic to me.
thank you in advance for your answers.
footnotes:
[1] http://www.mediawiki.org/wiki/ExternalAuth [2] http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/48044 http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/47710 [3] I personally keep in mind the case of AuthDrupal: http://www.mediawiki.org/wiki/AuthDrupal https://drupal.org/project/mediawikiauth https://gitorious.org/drzraf/drupal-mediawiki/commits/custom