The problem is that both AuthPlugin and ExternalAuth are pretty hacked together authentication system and both should be tossed in the garbage and replaced with a legitimately designed authnz system.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Thu, Oct 11, 2012 at 9:48 AM, Raphaƫl Droz raphael.droz@gmail.comwrote:
Hi,
I'm new on this list but found that the last thread about ExternalAuth [1] dated back from 2010 [2] but I thought it was acceptable to bring up the subject again :)
Stated simply: many AuthPlugin modules stick to using "External Sessions" for SSO purpose and only implement the "UserLoadFromSession" hook. They don't bother implementing a "true" authentication plugin. In such a case [3] this is often incompatible with the use of MW XML API.
ExternalAuth provides a clean API for this which even appears to be used by the MW code-base itself: in SpecialUserlogin.php:
function authenticateUserData() { [...] $this->mExtUser = ExternalUser::newFromName($this->mUsername); [...] $this->mExtUser->authenticate($this->mPassword);
The issue here is that a regular AuthPlugin (a class implementing AuthPlugin) is still needed, at the very least because soon after happens an unconditional call to:
$u->checkPassword().
[ and User::checkPassword() only uses $wgAuth ]
questions:
- if ExternalAuth->authenticate() succeeded why do we needed
User::checkPassword() ? It seems like this is an unneeded duplicated check ?
- User::checkPassword() makes no consideration for ExternalAuth: it
always use $wgAuth and only $wgAuth. => 2.1) does it mean that an AuthPlugin *must* be associated to each ExternalAuth extension ? => 2.2) or does it mean that User::checkPassword() should be fixed to call authenticate() from the proper class (either AuthPlugin or ExternalAuth) ?
If the answer to 2.1 is "yes", then another question arises: 2.1.1) how to access and make use of the ExternalAuth object ($mExtUser in LoginForm) from $wgAuth->authenticate() so that it's not necessary to duplicate code among both classes ?
I attached to pseudo-patch to workaround what is problematic to me.
thank you in advance for your answers.
footnotes:
[1] http://www.mediawiki.org/wiki/ExternalAuth [2] http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/48044
http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/47710 [3] I personally keep in mind the case of AuthDrupal: http://www.mediawiki.org/wiki/AuthDrupal https://drupal.org/project/mediawikiauth https://gitorious.org/drzraf/drupal-mediawiki/commits/custom
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l