[wp-hackers] Single sign-on with Wordpress & Mediawiki

Sneaks 0vcqn5q02 at sneakemail.com
Tue Oct 30 22:08:45 GMT 2007 

Pardon my ignorance, but given the possible permissions/roles/groups and 
UI management in each package, how well would a local OpenID server 
handle these issues and pass authentication to each application?

I know the OpenID concept is ideally nice, but I'm more interested in 
getting a traditional, seamless integration out of these disparate 
packages. My main concern is the end-user's experience. Security issues 
aside (not to minimize them), WP seems to make most of the management 
and authentication process pretty painless.



Callum Macdonald lists.automattic.com-at-callum-macdonald.com 
|wordpress| wrote:
> I agree, it sounds very much like OpenID.
> 
> Rather than re-invent the wheel I'd suggest using OpenID as a basis. 
> There are OpenID plugins for an awful lot of OSS apps out there already, 
> including WordPress, MediaWiki, etc.
> 
> I'm not sure WordPress makes the best base to store the user tables.
> 1) Passwords are stored insecurely (the hashes should be salted)
> 2) The login cookies are ridiculously easy to fake (simply md5 what's in 
> the db)
> 
> Something which stores passwords salted, and keeps a separate key for 
> login would be much more secure. If you suspect your database might have 
> been stolen, simply update all the login tokens. Every user has to log 
> in again, no major inconvenience .With WordPress, you'd have to send 
> everyone new passwords, major pain in the ass.
> 
> That's my tuppence worth!
> 
> Cheers - Callum.
> 
> DD32 wrote:
>> On Tue, 30 Oct 2007 08:18:28 +1100, Sneaks <0vcqn5q02 at sneakemail.com> 
>> wrote:
>>  
>>> how about an open-source, WP-suite of auth sharing plugins for commonly
>>> bundled software?
>>>
>>> 1. mediawiki
>>> 2. bbPress
>>> 3. ??
>>>
>>> i'll host SVN and a website if anyone wants to do this.
>>>     
>>
>> I was just thinking of something similar, Something which acts like 
>> Googles signin page might be good, All sign in attempts get redirected 
>> from 3rd party software to WP's login page, If the user is allready 
>> logged in, it redirects back to the application with a key, the plugin 
>> in that software package reads the key, checks if its correct, and 
>> then logs the user into that application too, Actually, Thats sounding 
>> a bit like OpenID, exept more streamlined for a single domain.
>>
>> That is assuming that other software have the great plugin hooking 
>> abilities that WP has :)
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>>
>>   
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list