Hi!
Anomie, bd808, CSteipp, and myself have been working on updating Tyler's previous AuthStack RfC: https://www.mediawiki.org/wiki/Requests_for_comment/AuthManager.
Our goal is to build an authentication system that is flexible enough to support the variety of usecases that MW currently supports and those it should support in the future, without requiring tons of hooks or ugly hacks.
Please leave comments and feedback on the talk page :)
Thanks! -- Legoktm
The primary vision I had with this RFC was to separate the idea of a MediaWiki user and an external authentication provider.
In other words, an individual is logging in as a local user, and that user may be associated with one or more external "users". Each external user is linked via a provider that can authenticate the external user's credentials and give the users' groups from the authorization provider.
The reason behind this separation is to allow a bit more abstraction between the local authentication layer and the actual verification of credentials.
Regards,
On Fri, Feb 27, 2015 at 12:38 PM, Tyler Romeo tylerromeo@gmail.com wrote:
The primary vision I had with this RFC was to separate the idea of a MediaWiki user and an external authentication provider.
In other words, an individual is logging in as a local user, and that user may be associated with one or more external "users". Each external user is linked via a provider that can authenticate the external user's credentials and give the users' groups from the authorization provider.
The reason behind this separation is to allow a bit more abstraction between the local authentication layer and the actual verification of credentials.
Hopefully we haven't lost that distinction in our revisions. We have dropped the notion of an ExternalUser class but only as a distinct and required component. Now each AuthenticationProvider would be responsible for managing the association of a set of credentials (e.g. username and password) to a local username. The means by which this state is managed is left unspecified by the RfC which to us seems reasonable as it is really an implementation detail of the AuthenticationProvider. All MediaWiki cares about is that an AuthenticationRequest can be converted into an AuthenticationResponse that affirms the provided credentials are valid and indicates the local User who should be considered the authenticated owner of the current request.
Bryan
On Fri, Feb 27, 2015 at 2:38 PM, Tyler Romeo tylerromeo@gmail.com wrote:
and give the users' groups from the authorization provider.
Note we have no mention of this in the authentication RFC, since we're being careful to separate *authentication* (authn) from *authorization* (authz). We have vague plans to rework authz like we're doing authn here, but we haven't done more than consider that a possibility for a future project.
Under the current RFC, an extension that does both authn and authz would presumably have its AuthenticationProvider store information in the session that would be used later when authz is done (e.g. in the UserGetRights hook).
Hi Legoktm et al!
Thanks for filing the RFC. We have started to track RFCs on Phabricator now - as I can see, you have already created a ticket. Excellent! I have cross-linked it from the wiki page now. Since you asked for comments and feedback, I have put the ticket on the "to discuss" column of our workborad[1].
Please keep the phabricator up to date. I have assigned it to Bryan for now, but feel free to change that. Actually, when the ticket is under discussion, it doesn't really need an owner.
We are currently experimenting with the RFC workflow, trying to make it more flexible. In particular, RFCs no longer *have* to be scheduled for an IRC descussion to be decided, the ArchCom may just decide them based on the discussion on Phabricator or the Talk page. If you feel an IRC session would be useful, please say so in the ticket. Hm, maybe we want a separate column for that - "IRC queue" or something.
Anyway, if you have comments and ideas about the RFC process (old or new), please let us now.
Thanks! Daniel
[1] https://phabricator.wikimedia.org/tag/mediawiki-rfcs/board/ [2] https://phabricator.wikimedia.org/T91105
Am 27.02.2015 um 17:57 schrieb Legoktm:
Hi!
Anomie, bd808, CSteipp, and myself have been working on updating Tyler's previous AuthStack RfC: https://www.mediawiki.org/wiki/Requests_for_comment/AuthManager.
Our goal is to build an authentication system that is flexible enough to support the variety of usecases that MW currently supports and those it should support in the future, without requiring tons of hooks or ugly hacks.
Please leave comments and feedback on the talk page :)
Thanks! -- Legoktm
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org