Hello,
Sometimes the problem comes up that an external tool needs to verify whether a user is the same user as on a wiki. For example one may want an opt-in system for an editcounter [1]. Or you are organizing a competition in which every Wikimedian can vote [2]. Currently such authentication is done with various hacks, such as posting some code in an edit summary, abusing the mail features of mediawiki or having the user post a certain token to a wiki page. This is not ideal and moreover quite complicated for the non tech savvy people.
I would therefore like to have some way to verify a users identity without asking his password or posting some weird stuff to some page. What I think would be a solution: # The user visits http://externaltool.com/authenticate and submits his username (and wiki). # The tool will add the user to its database, generate some random token and redirects the user to http://wiki.org/wiki/Special:VerifyUser?token=secret # MediaWiki will then check whether the user is logged in and if not ask to login. # MediaWiki will do some magic and generate a new_token from token and redirect the user back to the tool, adding the new_token to its url # The tool will then query the wiki with its token and the new_token and ask whether the two tokens form a valid pair
The downside of this would be that there are many redirects involved and also quite a lot of traffic. Would such a thing have any chance of being enabled on Wikimedia wikis if developed?
Cheers, Bryan
* [1] http://tools.wikimedia.de/~interiot/cgi-bin/editcount_optin.cgi?user=Commons... / http://tools.wikimedia.de/~interiot/cgi-bin/editcount_optin.cgi?user=Commons... * [2] http://commons.wikimedia.org/wiki/Commons:Picture_of_the_Year/2007/Voting