[wp-hackers] Single sign-on with Wordpress & Mediawiki

[Callum Macdonald]

Travis Snoozy wrote:
> Note that this still doesn't change the fact that users have to
> separately authenticate with each service on your site (even if they're
> all OpenID-enabled, and even if all the user has to do is enter their
> OpenID URL). So, the "site-wide SSO" issue still stands, even though
> it's less obnoxious :).
>   
There might be a simple workaround. If you set the user's openID 
identity into a cookie, you could pick that cookie up in each of your 
apps. The user flow would be:
1) User visits WP site (is not logged in)
2) User clicks "Login" and is directed to OpenID server to authenticate
3) User is returned to WP now authenticated by OpenID
4) User browses to MediaWiki (not yet logged in to MediaWiki)
5) MediaWiki detects the OpenID cookie, requests authentication from 
OpenID server, logs user in to MediaWiki

The original requirement was for the user experience to be as 
transparent as possible. I think OpenID can provide that, although it 
may need a small change to check a cookie for the OpenID identity.

Note that storing your OpenID identity in a cookie isn't a security 
issue. The URL in itself is not sensitive information (it's your 
wordpress.com account address, hardly private!). Storing it in a cookie 
simply saves the user typing it on each service within your setup.

In this scenario, you would have issues if users wanted to sign in / 
register on one service (say WordPress) with their own OpenID provider. 
They would not then be able to sign in to all your services in one go. 
Hence, I'd suggest using a local OpenID provider and making it look 
transparent to the user, so they're not aware they're using OpenID.

Of course it would be uber-cool if the user could register their current 
OpenID identity with the local OpenID server, thus their primary OpenID 
would authenticate the secondary OpenID identity which would in turn 
unlock WP/MW/etc! :)

Cheers - Callum.