[wp-hackers] Single sign-on with Wordpress & Mediawiki
Callum Macdonald
lists.automattic.com at callum-macdonald.com
Tue Oct 30 22:46:01 GMT 2007
OpenID does exactly what's been described. You log in to the OpenID
server, you visit a client application (MW/WP/etc) and it makes a call
to the OpenID server for authentication.
I don't know how you'd integrate the permissions / group structures /
etc within each application. It might be possible to manage that through
the OpenID server. Ultimately, I think each application will store it's
own group, permissions, and role data alongside the user table. In WP
it's in usermeta, I'm guessing it's a similar setup in the other apps.
To combine those, you're facing the same challenge whether you use
OpenID as the base or WordPress.
Cheers - Callum.
Sneaks wrote:
> Pardon my ignorance, but given the possible permissions/roles/groups
> and UI management in each package, how well would a local OpenID
> server handle these issues and pass authentication to each application?
>
> I know the OpenID concept is ideally nice, but I'm more interested in
> getting a traditional, seamless integration out of these disparate
> packages. My main concern is the end-user's experience. Security
> issues aside (not to minimize them), WP seems to make most of the
> management and authentication process pretty painless.
>
>
>
> Callum Macdonald lists.automattic.com-at-callum-macdonald.com
> |wordpress| wrote:
>> I agree, it sounds very much like OpenID.
>>
>> Rather than re-invent the wheel I'd suggest using OpenID as a basis.
>> There are OpenID plugins for an awful lot of OSS apps out there
>> already, including WordPress, MediaWiki, etc.
>>
>> I'm not sure WordPress makes the best base to store the user tables.
>> 1) Passwords are stored insecurely (the hashes should be salted)
>> 2) The login cookies are ridiculously easy to fake (simply md5 what's
>> in the db)
>>
>> Something which stores passwords salted, and keeps a separate key for
>> login would be much more secure. If you suspect your database might
>> have been stolen, simply update all the login tokens. Every user has
>> to log in again, no major inconvenience .With WordPress, you'd have
>> to send everyone new passwords, major pain in the ass.
>>
>> That's my tuppence worth!
>>
>> Cheers - Callum.
>>
>> DD32 wrote:
>>> On Tue, 30 Oct 2007 08:18:28 +1100, Sneaks
>>> <0vcqn5q02 at sneakemail.com> wrote:
>>>
>>>> how about an open-source, WP-suite of auth sharing plugins for
>>>> commonly
>>>> bundled software?
>>>>
>>>> 1. mediawiki
>>>> 2. bbPress
>>>> 3. ??
>>>>
>>>> i'll host SVN and a website if anyone wants to do this.
>>>>
>>>
>>> I was just thinking of something similar, Something which acts like
>>> Googles signin page might be good, All sign in attempts get
>>> redirected from 3rd party software to WP's login page, If the user
>>> is allready logged in, it redirects back to the application with a
>>> key, the plugin in that software package reads the key, checks if
>>> its correct, and then logs the user into that application too,
>>> Actually, Thats sounding a bit like OpenID, exept more streamlined
>>> for a single domain.
>>>
>>> That is assuming that other software have the great plugin hooking
>>> abilities that WP has :)
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>>
>>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
More information about the wp-hackers
mailing list