[wp-hackers] Single sign-on with Wordpress & Mediawiki
lists.automattic.com at callum-macdonald.com
Wed Oct 31 17:37:15 GMT 2007
Travis Snoozy wrote:
> Note that this still doesn't change the fact that users have to
> separately authenticate with each service on your site (even if they're
> all OpenID-enabled, and even if all the user has to do is enter their
> OpenID URL). So, the "site-wide SSO" issue still stands, even though
> it's less obnoxious :).
There might be a simple workaround. If you set the user's openID
identity into a cookie, you could pick that cookie up in each of your
apps. The user flow would be:
1) User visits WP site (is not logged in)
2) User clicks "Login" and is directed to OpenID server to authenticate
3) User is returned to WP now authenticated by OpenID
4) User browses to MediaWiki (not yet logged in to MediaWiki)
5) MediaWiki detects the OpenID cookie, requests authentication from
OpenID server, logs user in to MediaWiki
The original requirement was for the user experience to be as
transparent as possible. I think OpenID can provide that, although it
may need a small change to check a cookie for the OpenID identity.
Note that storing your OpenID identity in a cookie isn't a security
issue. The URL in itself is not sensitive information (it's your
wordpress.com account address, hardly private!). Storing it in a cookie
simply saves the user typing it on each service within your setup.
In this scenario, you would have issues if users wanted to sign in /
register on one service (say WordPress) with their own OpenID provider.
They would not then be able to sign in to all your services in one go.
Hence, I'd suggest using a local OpenID provider and making it look
transparent to the user, so they're not aware they're using OpenID.
Of course it would be uber-cool if the user could register their current
OpenID identity with the local OpenID server, thus their primary OpenID
would authenticate the secondary OpenID identity which would in turn
unlock WP/MW/etc! :)
Cheers - Callum.
More information about the wp-hackers