On Mon, Sep 21, 2015 at 1:22 PM, Ryan Lane rlane32@gmail.com wrote:
I know someone is working on an auth framework update, so I'm sure there'll be some changes necessary for that too.
We're planning on making the changes necessary for AuthManager in WMF-deployed extensions (including LdapAuthentication and CentralAuth) as part of the AuthManager project, but not any other bugs or requests.
We'll also look at non-WMF-deployed extensions, but we may not actually make the changes in those cases.
More details on what exactly needs changing in extensions will be announced to this mailing list when we're finished determining exactly what those changes will be. But as a preview, some of the changes coming are:
- AuthPlugin is going away in favor of multiple co-existing authentication providers. - Real support for authentication methods other than "username and password", instead of hacking around the login form. - Support for pluggable pre-authentication steps (e.g. throttles, captcha) without hooking into the login form. - Support for pluggable post-authentication steps (e.g. forcing a password change, second-factor auth) without a mess of hooks like AbortLogin and AbortNewAccount. - Support for other methods of tying the request to an authenticated session, no more UserLoadFromSession hook.
See also the original RFC https://www.mediawiki.org/wiki/Requests_for_comment/AuthManager, and T89459 https://phabricator.wikimedia.org/T89459 and its many subtasks, and Gerrit change 195297 https://gerrit.wikimedia.org/r/#/c/195297/ for the work-in-progress.