On Tue, Jun 4, 2013 at 7:46 PM, Rob Lanphier robla@wikimedia.org wrote:
This page is more relevant to our immediate plans: https://www.mediawiki.org/wiki/Auth_systems/OAuth
I would be really happy to see someone do some cleanup of this page, archive the bits written in 2011, and make the Auth_systems/OAuth page more prevalent, possibly merging with OAuth (though please don't mix in the obsolete stuff)..
This page is, arguably, even worse. My favorite quotes from this page:
The list of granted permissions will be supplied by the AuthPlugin
AuthPlugin never used to handle this kind of stuff. The only extensions that use AuthPlugin are those that provide *supplemental* authentication services. Notice that E:LDAPAuthentication uses AuthPlugin, but E:TwoFactorAuthentication does not. AuthPlugin has never handled additional authorization logic, and I don't see any reason why it should.
Granted permissions are identified by string tokens. These are entirely independent of the existing user rights system: to successfully execute a module, both the existing user rights checks and the granted permissions check have to pass.
Why?! What exactly is so bad about just using our own permissions, which already exists, as the permissions for OAuth tokens. It allows the highest level of granularity for permissions and allows us to easily display to the user exactly what the application will be allowed to do.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com