On Fri, Jul 27, 2012 at 3:05 PM, Daniel Friesen lists@nadir-seen-fire.comwrote:
On Fri, 27 Jul 2012 10:59:30 -0700, Chris Steipp csteipp@wikimedia.org wrote:
I think I understand what your saying about that, and that's one way it could be done. I had also given some thought to extending the user, so that an OAuth user would have limited permissions, and a SAML user may not even exist in the data store.... etc. But it would be good to hear from other developers if they have thoughts on it?
Separate user rows for OAuth?
OAuth 2.0 has a "scope" field to let the client request an auth token with the scope of the permissions it is requesting, which is a space delimited list of scope strings, to which the server can respond with an auth token that includes that scope list, a different scope list, or an error.[1]
I think creation of an OAuth token should result in the creation of a MediaWiki session, and that scope should be added to the session data. In our initial implementation, I think each of scope strings should correspond to MediaWiki permissions (i.e. mCoreRights in User.php). However, we should think ahead to the day when we might want to have something more fine grained than that.
Rob
[1] http://tools.ietf.org/html/draft-ietf-oauth-v2-30#section-3.3