[wp-hackers] Single sign-on with Wordpress & Mediawiki

wordpress at santosj.name wordpress at santosj.name
Wed Oct 31 01:37:47 GMT 2007


OpenID does not handle that and is not supposed to handle that. OpenID is
more an Username Replacement than a complete User Management/Role system.
You would still need to have a password for each site, but the deal is
that they wouldn't have to remember several different usernames.

While researching this several years ago, I came to the realization that
the best method would only be to register the user and have hooks in for
password updating.

Well, if you are going to go through all of that hassle anyway, it would
be wise to use something already created for that purpose for the
username.

I would leave off creating an OpenID server, just use a delegate instead.
Same thing, except you don't have to manage the software and can switch
providers if you need to. If you want to provide your domain as an OpenID
identity, then go ahead, the software is out there and free.

Jacob Santos

> Pardon my ignorance, but given the possible permissions/roles/groups and
> UI management in each package, how well would a local OpenID server
> handle these issues and pass authentication to each application?
>
> I know the OpenID concept is ideally nice, but I'm more interested in
> getting a traditional, seamless integration out of these disparate
> packages. My main concern is the end-user's experience. Security issues
> aside (not to minimize them), WP seems to make most of the management
> and authentication process pretty painless.
>
>
>
> Callum Macdonald lists.automattic.com-at-callum-macdonald.com
> |wordpress| wrote:
>> I agree, it sounds very much like OpenID.
>>
>> Rather than re-invent the wheel I'd suggest using OpenID as a basis.
>> There are OpenID plugins for an awful lot of OSS apps out there already,
>> including WordPress, MediaWiki, etc.
>>
>> I'm not sure WordPress makes the best base to store the user tables.
>> 1) Passwords are stored insecurely (the hashes should be salted)
>> 2) The login cookies are ridiculously easy to fake (simply md5 what's in
>> the db)
>>
>> Something which stores passwords salted, and keeps a separate key for
>> login would be much more secure. If you suspect your database might have
>> been stolen, simply update all the login tokens. Every user has to log
>> in again, no major inconvenience .With WordPress, you'd have to send
>> everyone new passwords, major pain in the ass.
>>
>> That's my tuppence worth!
>>
>> Cheers - Callum.
>>
>> DD32 wrote:
>>> On Tue, 30 Oct 2007 08:18:28 +1100, Sneaks <0vcqn5q02 at sneakemail.com>
>>> wrote:
>>>
>>>> how about an open-source, WP-suite of auth sharing plugins for
>>>> commonly
>>>> bundled software?
>>>>
>>>> 1. mediawiki
>>>> 2. bbPress
>>>> 3. ??
>>>>
>>>> i'll host SVN and a website if anyone wants to do this.
>>>>
>>>
>>> I was just thinking of something similar, Something which acts like
>>> Googles signin page might be good, All sign in attempts get redirected
>>> from 3rd party software to WP's login page, If the user is allready
>>> logged in, it redirects back to the application with a key, the plugin
>>> in that software package reads the key, checks if its correct, and
>>> then logs the user into that application too, Actually, Thats sounding
>>> a bit like OpenID, exept more streamlined for a single domain.
>>>
>>> That is assuming that other software have the great plugin hooking
>>> abilities that WP has :)
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>>
>>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>




More information about the wp-hackers mailing list