Hello,
Sometimes the problem comes up that an external tool needs to verify
whether a user is the same user as on a wiki. For example one may want
an opt-in system for an editcounter [1]. Or you are organizing a
competition in which every Wikimedian can vote [2]. Currently such
authentication is done with various hacks, such as posting some code
in an edit summary, abusing the mail features of mediawiki or having
the user post a certain token to a wiki page. This is not ideal and
moreover quite complicated for the non tech savvy people.
I would therefore like to have some way to verify a users identity
without asking his password or posting some weird stuff to some page.
What I think would be a solution:
# The user visits
http://externaltool.com/authenticate and submits his
username (and wiki).
# The tool will add the user to its database, generate some random
token and redirects the user to
http://wiki.org/wiki/Special:VerifyUser?token=secret
# MediaWiki will then check whether the user is logged in and if not
ask to login.
# MediaWiki will do some magic and generate a new_token from token and
redirect the user back to the tool, adding the new_token to its url
# The tool will then query the wiki with its token and the new_token
and ask whether the two tokens form a valid pair
The downside of this would be that there are many redirects involved
and also quite a lot of traffic. Would such a thing have any chance of
being enabled on Wikimedia wikis if developed?
Cheers,
Bryan
* [1]
http://tools.wikimedia.de/~interiot/cgi-bin/editcount_optin.cgi?user=Common…
/
http://tools.wikimedia.de/~interiot/cgi-bin/editcount_optin.cgi?user=Common…
* [2]
http://commons.wikimedia.org/wiki/Commons:Picture_of_the_Year/2007/Voting