On Fri, Oct 12, 2012 at 2:14 AM, Seb35 seb35wikipedia@gmail.com wrote:
If there are multiple identification sources, what about unicity of usernames? i.e. who is User1 if it exists different people User1@OpenID and User1@RADIUS? the first who registers on the wiki? or is it assumed all User1 are the same people?
Some kind of pipelining system, or pam like system would allow users to specify which service is used for identity, authentication, and authorization. That said, systems like this are pretty complicated to configure for end-users. Most auth extensions are already difficult to configure. Very few people need this level of flexibility.
I think this could be accomplished by hooks easily enough. I have 3 authentication plugins working in unison on labsconsole.wikimedia.org (LdapAuthentication, OATHAuth, and OpenStackManager) plus ConfirmEdit (which requires a captcha for account creation). I'm using hooks to handle all of this. I could add on Kerberos, OpenID or some other form of auto-authentication if I liked without much issue.
The current AuthPlugin system works for the most part. It just needs to be cleaned up and refactored. Its major issue is that core's authn/z system is really, really shitty and isn't properly maintained.
If there's a rewrite it will very likely die like ExternalAuth. I have no plans on rewriting any of my authentication extensions from scratch, and I've written (or fixed) the majority of the auth extensions actually used.
And if there is a rewrite of the auth, I want just point out that aside authentications like OpenID, OAuth, local DB, there are also some profesionnal authentication backend like Shibboleth, RADIUS, CAS, Kerberos that should be taken into account for enterprise wikis (it should be generic enough for these types of authentication).
The current system can handle all of these already.
- Ryan