On Wed, Aug 15, 2012 at 12:00 PM, Thomas Gries mail@tgries.de wrote:
Am 15.08.2012 20:58, schrieb Mark Holmquist:
Saves much time and efforts You don't use it, otherwise you wouldn't have asked that question.
Clearly--but could you elaborate more as to why it's helpful? (Thomas is currently in #ethereditor having this conversation)
OpenID was discussed in other threads; a discussion of pros and cons would be off-topic here.
I think it would be useful to have the openid extension enabled in labs prototypes if wikimedia ran as a provider and the openid extension was forced to use the wikimedia provider for login. Just adding in the OpenID extension without thought really just makes things more confusing and less usable.
- Ryan
Am 15.08.2012 21:13, schrieb Ryan Lane:
On Wed, Aug 15, 2012 at 12:00 PM, Thomas Gries mail@tgries.de wrote:
Am 15.08.2012 20:58, schrieb Mark Holmquist:
Saves much time and efforts You don't use it, otherwise you wouldn't have asked that question.
Clearly--but could you elaborate more as to why it's helpful? (Thomas is currently in #ethereditor having this conversation)
OpenID was discussed in other threads; a discussion of pros and cons would be off-topic here.
I think it would be useful to have the openid extension enabled in labs prototypes if wikimedia ran as a provider and the openid extension was forced to use the wikimedia provider for login. Just adding in the OpenID extension without thought really just makes things more confusing and less usable.
- Ryan
Ryan: this must be tested. I think, it NOT possible on the same server (Provider - Consumer)
On Wed, Aug 15, 2012 at 3:16 PM, Thomas Gries mail@tgries.de wrote:
Ryan: this must be tested. I think, it NOT possible on the same server (Provider - Consumer)
What is not possible exactly?
-Jeremy
Am 15.08.2012 21:18, schrieb Jeremy Baron:
On Wed, Aug 15, 2012 at 3:16 PM, Thomas Gries mail@tgries.de wrote:
Ryan: this must be tested. I think, it NOT possible on the same server (Provider - Consumer)
What is not possible exactly?
-Jeremy
"You cannot log in through OpenID on the same server."
On Wed, Aug 15, 2012 at 12:16 PM, Thomas Gries mail@tgries.de wrote:
Am 15.08.2012 21:13, schrieb Ryan Lane:
I think it would be useful to have the openid extension enabled in labs prototypes if wikimedia ran as a provider and the openid extension was forced to use the wikimedia provider for login. Just adding in the OpenID extension without thought really just makes things more confusing and less usable.
I think it would be a huge help to have openid installed and available on labs mw instances by default.
- Ryan
Ryan: this must be tested. I think, it NOT possible on the same server (Provider - Consumer)
There is no problem with having the provider and consumer on the same server (I run it like that in my local dev environment). You may hit a problem if you're using one dns name / ip, and subfolders for each wiki instance.
(Provider === Consumer)
There is no problem with having the provider and consumer on the same server (I run it like that in my local dev environment). You may hit a problem if you're using one dns name / ip, and subfolders for each wiki instance.
okay, thanks. I was expecting this but wasn't sure. Good point !!
Ryan: this must be tested. I think, it NOT possible on the same server (Provider - Consumer)
I didn't say anything about the provider and consumer being on the same server. The wmflabs prototypes would be consumers that would be forced to use production Wikimedia as providers.
- Ryan
Am 15.08.2012 21:27, schrieb Ryan Lane:
Ryan: this must be tested. I think, it NOT possible on the same server (Provider - Consumer)
I didn't say anything about the provider and consumer being on the same server. The wmflabs prototypes would be consumers that would be forced to use production Wikimedia as providers.
- Ryan
great, Then simply install it, please
great, Then simply install it, please
I *didn't* say we should use the openid extension to make the provider. In fact, I don't think we should.
Also, it's not like it's a simple change. We need to consider how we'll deal with identity. Some people don't have global accounts. Do we do identity on a per-wiki basis, or a global basis? If we do it on a global basis, where does the identity url live?
- Ryan
These are totally *different* things. The Extension can offer both (!)
https://bugzilla.wikimedia.org/show_bug.cgi?id=13631 Wikimedia should become an OpenID provider
https://bugzilla.wikimedia.org/show_bug.cgi?id=9604 Support OpenID extension on all wikimedia projects
On Wed, Aug 15, 2012 at 12:39 PM, Thomas Gries mail@tgries.de wrote:
These are totally *different* things. The Extension can offer both (!)
https://bugzilla.wikimedia.org/show_bug.cgi?id=13631 Wikimedia should become an OpenID provider
I'd love Wikimedia to be a provider, but I'd prefer we don't use the OpenID extension for this. We have other authn/authz needs. We can't do authentication and authorization piecemeal without going insane.
https://bugzilla.wikimedia.org/show_bug.cgi?id=9604 Support OpenID extension on all wikimedia projects
OpenID as a consumer on the sites is a really difficult problem. I'm not even going to go into it in this thread.
- Ryan
OpenID as a consumer on the sites is a really difficult problem. I'm not even going to go into it in this thread.
it is not. OpenID adds only a short table to the database, where the OpenID is connected with the (local wiki) userid. Where exactly is the blocking problem for you ?
it is not. OpenID adds only a short table to the database, where the OpenID is connected with the (local wiki) userid. Where exactly is the blocking problem for you ?
It's not a technical problem, per se. It's mainly a usability issue. When you allow login as a consumer, you now have two login links. One link is for logging in with your password credentials and another is with OpenID. This is confusing for people who don't know what OpenID is.
Assuming everyone has some knowledge of OpenID (which is a stupid assumption, but let's play along), what do you display on the OpenID login page? Do we have logos that people can click to login to a provider? If so, which logos do we show? Why are we showing *those* providers and not others? How do you login with OpenID for providers not shown? A text box where they can enter the URL? Many OpenID URLs are long, ugly, and totally un-memberable, which means people will need to search for their provider URL when they want to login.
Let's assume people are logging in with OpenID. Now there's a possibility of users getting locked out of their accounts because their provider went away. Yes, we can allow users to have passwords on the site too, but then we have two methods of authentication, which increases the risk of accounts getting owned. Additionally, now we have to worry about a provider getting owned and all accounts associated with that provider being owned as a result.
OpenID as a consumer on the sites without fixing the usability issues is simply not going to happen. The security issues are a worry too, but less so than the usability issues.
- Ryan
Am 15.08.2012 23:11, schrieb Ryan Lane:
it is not. OpenID adds only a short table to the database, where the OpenID is connected with the (local wiki) userid. Where exactly is the blocking problem for you ?
It's not a technical problem, per se. It's mainly a usability issue. When you allow login as a consumer, you now have two login links. One link is for logging in with your password credentials and another is with OpenID. This is confusing for people who don't know what OpenID is.
Assuming everyone has some knowledge of OpenID (which is a stupid assumption, but let's play along), what do you display on the OpenID login page? Do we have logos that people can click to login to a provider? If so, which logos do we show? Why are we showing *those* providers and not others? How do you login with OpenID for providers not shown? A text box where they can enter the URL? Many OpenID URLs are long, ugly, and totally un-memberable, which means people will need to search for their provider URL when they want to login.
it seems, that you have /never /installed the Extension. Because then you would not have asked these questions.
Let's assume people are logging in with OpenID. Now there's a possibility of users getting locked out of their accounts because their provider went away. Yes, we can allow users to have passwords on the site too, but then we have two methods of authentication, which increases the risk of accounts getting owned. Additionally, now we have to worry about a provider getting owned and all accounts associated with that provider being owned as a result.
OpenID as a consumer on the sites without fixing the usability issues is simply not going to happen. The security issues are a worry too, but less so than the usability issues.
- Ryan
Ryan, it seems, that you have never installed the Extension. Because then you would not have asked the questions.
This thread is starting to sound a bit hostile. Can we back up and assume good faith?
On Aug 15, 2012, at 2:56 PM, Thomas Gries mail@tgries.de wrote:
Am 15.08.2012 23:11, schrieb Ryan Lane:
it is not. OpenID adds only a short table to the database, where the OpenID is connected with the (local wiki) userid. Where exactly is the blocking problem for you ?
It's not a technical problem, per se. It's mainly a usability issue. When you allow login as a consumer, you now have two login links. One link is for logging in with your password credentials and another is with OpenID. This is confusing for people who don't know what OpenID is.
Assuming everyone has some knowledge of OpenID (which is a stupid assumption, but let's play along), what do you display on the OpenID login page? Do we have logos that people can click to login to a provider? If so, which logos do we show? Why are we showing *those* providers and not others? How do you login with OpenID for providers not shown? A text box where they can enter the URL? Many OpenID URLs are long, ugly, and totally un-memberable, which means people will need to search for their provider URL when they want to login.
it seems, that you have /never /installed the Extension. Because then you would not have asked these questions.
Let's assume people are logging in with OpenID. Now there's a possibility of users getting locked out of their accounts because their provider went away. Yes, we can allow users to have passwords on the site too, but then we have two methods of authentication, which increases the risk of accounts getting owned. Additionally, now we have to worry about a provider getting owned and all accounts associated with that provider being owned as a result.
OpenID as a consumer on the sites without fixing the usability issues is simply not going to happen. The security issues are a worry too, but less so than the usability issues.
- Ryan
Ryan, it seems, that you have never installed the Extension. Because then you would not have asked the questions.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
--- Brandon Harris, Senior Designer, Wikimedia Foundation
Support Free Knowledge: http://wikimediafoundation.org/wiki/Donate
Am 16.08.2012 00:02, schrieb Brandon Harris:
This thread is starting to sound a bit hostile. Can we back up and assume good faith?
The (at least some) users simply want a working Single-Sign On. Let (one) Wikimedia act as OpenID Provider, and the WMF wikis as consumers as mentioned in the two bugzillas
https://bugzilla.wikimedia.org/show_bug.cgi?id=13631 Wikimedia should become an OpenID provider
https://bugzilla.wikimedia.org/show_bug.cgi?id=9604 Support OpenID extension on all wikimedia projects
Nothing hostile.
it seems, that you have never installed the Extension. Because then you would not have asked the questions.
I'm working on migrating OpenStack's MoinMoin wiki to MediaWiki. They use OpenID locked to launchpad's provider. I did the same with the OpenID MediaWiki extension there. I've also installed the extension in a number of other places. I'm quite familiar with it.
There's a pretty major difference between installing the extension on simple sites and Wikimedia. I explained all the usability issues that would stop us from using it.
Basically no one has solutions to some of the usability issues I've mentioned, which is why you'll notice very few large site have OpenID enabled as a consumer, and the ones that do don't prominently expose it.
- Ryan
These are totally *different* things. The Extension can offer both (!)
https://bugzilla.wikimedia.org/show_bug.cgi?id=13631 Wikimedia should become an OpenID provider
I'd love Wikimedia to be a provider, but I'd prefer we don't use the OpenID
extension for this. We have other authn/authz needs. We can't do authentication and authorization piecemeal without going insane.
https://bugzilla.wikimedia.org/show_bug.cgi?id=9604 Support OpenID extension on all wikimedia projects
OpenID as a consumer on the sites is a really difficult problem. I'm not
even going to go into it in this thread.
Ideally both of these issues should have their own thread.
Thank you, Derric Atzrott
I was wrong, sorry:
delete this, as it is not correct:
These are totally *different* things. The Extension can offer both (!)
https://bugzilla.wikimedia.org/show_bug.cgi?id=13631 Wikimedia should become an OpenID provider
https://bugzilla.wikimedia.org/show_bug.cgi?id=9604 Support OpenID extension on all wikimedia projects
Am 15.08.2012 21:13, schrieb Ryan Lane:
On Wed, Aug 15, 2012 at 12:00 PM, Thomas Gries mail@tgries.de wrote:
Am 15.08.2012 20:58, schrieb Mark Holmquist:
Saves much time and efforts You don't use it, otherwise you wouldn't have asked that question.
Clearly--but could you elaborate more as to why it's helpful? (Thomas is currently in #ethereditor having this conversation)
OpenID was discussed in other threads; a discussion of pros and cons would be off-topic here.
I think it would be useful to have the openid extension enabled in labs prototypes if wikimedia ran as a provider and the openid extension was forced to use the wikimedia provider for login.
this has been filed back in 2008 as https://bugzilla.wikimedia.org/show_bug.cgi?id=13631 mailto:Bryan.TongMinh@Gmail.com"Too facilitate verification of a Wikimedia user for external tools without the need to give the password to that tool, Wikimedia should become an OpenID provider."
wikitech-l@lists.wikimedia.org