On Fri, Feb 27, 2015 at 12:38 PM, Tyler Romeo tylerromeo@gmail.com wrote:
The primary vision I had with this RFC was to separate the idea of a MediaWiki user and an external authentication provider.
In other words, an individual is logging in as a local user, and that user may be associated with one or more external "users". Each external user is linked via a provider that can authenticate the external user's credentials and give the users' groups from the authorization provider.
The reason behind this separation is to allow a bit more abstraction between the local authentication layer and the actual verification of credentials.
Hopefully we haven't lost that distinction in our revisions. We have dropped the notion of an ExternalUser class but only as a distinct and required component. Now each AuthenticationProvider would be responsible for managing the association of a set of credentials (e.g. username and password) to a local username. The means by which this state is managed is left unspecified by the RfC which to us seems reasonable as it is really an implementation detail of the AuthenticationProvider. All MediaWiki cares about is that an AuthenticationRequest can be converted into an AuthenticationResponse that affirms the provided credentials are valid and indicates the local User who should be considered the authenticated owner of the current request.
Bryan