On Mon, Sep 21, 2015 at 1:22 PM, Ryan Lane <rlane32(a)gmail.com> wrote:
I know someone is working on an auth framework update,
so I'm sure
there'll be some changes necessary for that too.
We're planning on making the changes necessary for AuthManager in
WMF-deployed extensions (including LdapAuthentication and CentralAuth) as
part of the AuthManager project, but not any other bugs or requests.
We'll also look at non-WMF-deployed extensions, but we may not actually
make the changes in those cases.
More details on what exactly needs changing in extensions will be announced
to this mailing list when we're finished determining exactly what those
changes will be. But as a preview, some of the changes coming are:
- AuthPlugin is going away in favor of multiple co-existing
authentication providers.
- Real support for authentication methods other than "username and
password", instead of hacking around the login form.
- Support for pluggable pre-authentication steps (e.g. throttles,
captcha) without hooking into the login form.
- Support for pluggable post-authentication steps (e.g. forcing a
password change, second-factor auth) without a mess of hooks like
AbortLogin and AbortNewAccount.
- Support for other methods of tying the request to an authenticated
session, no more UserLoadFromSession hook.
See also the original RFC
<https://www.mediawiki.org/wiki/Requests_for_comment/AuthManager>, and
T89459 <https://phabricator.wikimedia.org/T89459> and its many subtasks,
and Gerrit change 195297 <https://gerrit.wikimedia.org/r/#/c/195297/> for
the work-in-progress.
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation