[wp-hackers] Single sign-on with Wordpress & Mediawiki
wordpress at santosj.name
Sun Oct 28 23:30:03 GMT 2007
Travis Snoozy wrote:
> On Sun, 28 Oct 2007 15:21:01 -0700, "Robin Adrianse"
> <robin.adr at gmail.com> wrote:
>> I'm talking about real-life, apparently...
> I reject your reality and substitute my own. ;)
>> the possiblity of having standards for these kind of things is pretty
>> slim. Very slim, in fact. Anyone who says otherwise (OpenID) is a bit
>> of an optimist to say the least. OpenID, while a great idea, isn't
>> going to catch on easily with the general public. A tool with only a
>> few geeks (technologically aware people) using it isn't going to make
>> a huge impact.
> That's another issue altogether. OpenID is for a larger problem space
> (single sign-on *across sites*), and that idea has already been shown
> to be more-or-less a bust (can you say Passport?).
Stop. Passport had more drastic issues than that and should not be
referenced based on Passport. The primary reason it failed can be
researched, but regardless, subsequent security issues didn't help.
OpenID isn't a solution for username/password combinations.
> From what I'm hearing, the current practice (hacking up a whole bunch
> of products as-needed so that they work off the same auth tables) is
> just one step away from this. Just abstract the auth logic out into a
> couple function calls, and voila -- you have a unified (single-site)
> auth architecture. It's a whole hell of a lot easier to write it
> once to patch into products vs. rewriting the whole thing for every new
> integration. It's not idealistic, it's pragmatic.
This in theory makes sense, but no one is going to do it. Good luck anyway.
The solution is not to revert to a standard where everyone uses the same
library/function calls, but offers API, like WordPress does for cross
web app authentication. Several major applications already do this by
way of creating specific cookies or calling a web application specific
The problem is that web applications can know or don't care which
primary web application the user chooses. They can't spend the time on
that. Their primary concern is allowing for others to use their methods
(functions/classes) for single site sign on.
http://www.santosj.name - blog
http://wordpress.svn.dragonu.net/unittest/ - unofficial WP unit test suite.
Also known as darkdragon and santosj on WP trac.
More information about the wp-hackers