[wp-hackers] Single sign-on with Wordpress & Mediawiki
wordpress at santosj.name
Mon Oct 29 03:00:08 GMT 2007
Travis Snoozy wrote:
> On Sun, 28 Oct 2007 18:30:03 -0500, Jacob <wordpress at santosj.name>
>>> That's another issue altogether. OpenID is for a larger problem
>> OpenID isn't a solution for username/password combinations.
> What I'm getting at is that OpenID, specifically, is irrelevant to this
> conversation. It's just another way to do auth -- it doesn't matter
> *how* it gets done, just that every service (wiki, forum, bug tracker,
> etc.) uses the same method.
>>> Just abstract the auth logic out into a couple function calls, and
>>> voila -- you have a unified (single-site) auth architecture.
>> This in theory makes sense, but no one is going to do it. Good luck
>> The solution is not to revert to a standard where everyone uses the
>> same library/function calls, but offers API, like WordPress does for
>> cross web app authentication. Several major applications already do
>> this by way of creating specific cookies or calling a web application
>> specific function.
> We're pretty much in violent agreement here ;). It's just a matter of
> "how", and there are several reasons why a standard approach is better
> vs. each product rolling their own API.
I've thought about this trust me, and unless someone like Matt
personally makes the effort to do so then I don't see any project doing
so. The biggest projects out there spent a great deal of time on their
Auth system. Any adoption would have to be built on top of their Auth
system first and published as a plugin. The people that use those
projects will have to install said plugin, which is unlikely since the
only advantage is that they get compatibility, which you could move
forward by using the plugin to provide single sign on to other projects
(people will bow and build idols to your name).
You need someone big, someone like me or you, Joe Programmer, doesn't
have enough Karma. Of course the guy that developed OpenID either and
look where he is now. Microsoft is up on OpenID.
> The "override my auth system" approach is useful, and I *vastly*
> prefer it to having a hard-coded auth system in a product. However, it
> places the burden on people who create single sign on systems to also
> create plugins for each and every one of these products. By
> standardizing on an API and conventions, it would allow people to write
> an auth system once, and have it work *without* needing this extra
> layer of product-to-product glue code (and the potential security flaws
> that could be introduced by subtle semantic differences between
> products). Likewise, for products without native support for the
> standard, but with a pluggable interface, it would still allow an
> integration plugin to be written once for each product, and work with
> *all* auth providers conforming to the standard. People can work on
> making one chunk of code really solid, instead of having a million
> different chunks of code that do almost-but-not-quite the same thing.
>> The problem is that web applications can know or don't care which
>> primary web application the user chooses.
> Yep. Shouldn't know or care. Authentication is authentication. I'm
> saying that there should be no "primary" web application -- all the
> auth logic should be centralized behind a common API so that logging in
> in one place is *exactly the same* as logging in somewhere else
> (within a single site).
Hmm. Code wise this would be sexy, but it would have to be extremely
simple and not centrally supported by any one product. Meaning it would
have to be a community thing. The only problem would be to get other
applications to adopt it and it would be difficult since they have
developed their own API and as I said, they think their method is best
and can't understand why other products don't use their superior method.
Single_Auth::Authenticate($username, $password); //
http://www.santosj.name - blog
http://wordpress.svn.dragonu.net/unittest/ - unofficial WP unit test suite.
Also known as darkdragon and santosj on WP trac.
More information about the wp-hackers