[RfC] AuthManager

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[RfC] AuthManager

Legoktm
Hi!

Anomie, bd808, CSteipp, and myself have been working on updating Tyler's
previous AuthStack RfC:
<https://www.mediawiki.org/wiki/Requests_for_comment/AuthManager>.

Our goal is to build an authentication system that is flexible enough to
support the variety of usecases that MW currently supports and those it
should support in the future, without requiring tons of hooks or ugly hacks.

Please leave comments and feedback on the talk page :)

Thanks!
-- Legoktm

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: [RfC] AuthManager

Tyler Romeo
The primary vision I had with this RFC was to separate the idea of a
MediaWiki user and an external authentication provider.

In other words, an individual is logging in as a local user, and that
user may be associated with one or more external "users". Each external
user is linked via a provider that can authenticate the external user's
credentials and give the users' groups from the authorization provider.

The reason behind this separation is to allow a bit more abstraction
between the local authentication layer and the actual verification of
credentials.

Regards,
--
Tyler Romeo

On 2/27/15 08:57, Legoktm wrote:

> Hi!
>
> Anomie, bd808, CSteipp, and myself have been working on updating Tyler's
> previous AuthStack RfC:
> <https://www.mediawiki.org/wiki/Requests_for_comment/AuthManager>.
>
> Our goal is to build an authentication system that is flexible enough to
> support the variety of usecases that MW currently supports and those it
> should support in the future, without requiring tons of hooks or ugly hacks.
>
> Please leave comments and feedback on the talk page :)
>
> Thanks!
> -- Legoktm
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

signature.asc (900 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RfC] AuthManager

Bryan Davis
On Fri, Feb 27, 2015 at 12:38 PM, Tyler Romeo <[hidden email]> wrote:

> The primary vision I had with this RFC was to separate the idea of a
> MediaWiki user and an external authentication provider.
>
> In other words, an individual is logging in as a local user, and that
> user may be associated with one or more external "users". Each external
> user is linked via a provider that can authenticate the external user's
> credentials and give the users' groups from the authorization provider.
>
> The reason behind this separation is to allow a bit more abstraction
> between the local authentication layer and the actual verification of
> credentials.

Hopefully we haven't lost that distinction in our revisions. We have
dropped the notion of an ExternalUser class but only as a distinct and
required component. Now each AuthenticationProvider would be
responsible for managing the association of a set of credentials (e.g.
username and password) to a local username. The means by which this
state is managed is left unspecified by the RfC which to us seems
reasonable as it is really an implementation detail of the
AuthenticationProvider. All MediaWiki cares about is that an
AuthenticationRequest can be converted into an AuthenticationResponse
that affirms the provided credentials are valid and indicates the
local User who should be considered the authenticated owner of the
current request.

Bryan
--
Bryan Davis              Wikimedia Foundation    <[hidden email]>
[[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
irc: bd808                                        v:415.839.6885 x6855

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: [RfC] AuthManager

Daniel Kinzler
In reply to this post by Legoktm
Hi Legoktm et al!

Thanks for filing the RFC. We have started to track RFCs on Phabricator now - as
I can see, you have already created a ticket. Excellent! I have cross-linked it
from the wiki page now. Since you asked for comments and feedback, I have put
the ticket on the "to discuss" column of our workborad[1].

Please keep the phabricator up to date. I have assigned it to Bryan for now, but
feel free to change that. Actually, when the ticket is under discussion, it
doesn't really need an owner.

We are currently experimenting with the RFC workflow, trying to make it more
flexible. In particular, RFCs no longer *have* to be scheduled for an IRC
descussion to be decided, the ArchCom may just decide them based on the
discussion on Phabricator or the Talk page. If you feel an IRC session would be
useful, please say so in the ticket. Hm, maybe we want a separate column for
that - "IRC queue" or something.

Anyway, if you have comments and ideas about the RFC process (old or new),
please let us now.

Thanks!
Daniel


[1] https://phabricator.wikimedia.org/tag/mediawiki-rfcs/board/
[2] https://phabricator.wikimedia.org/T91105

Am 27.02.2015 um 17:57 schrieb Legoktm:

> Hi!
>
> Anomie, bd808, CSteipp, and myself have been working on updating Tyler's
> previous AuthStack RfC:
> <https://www.mediawiki.org/wiki/Requests_for_comment/AuthManager>.
>
> Our goal is to build an authentication system that is flexible enough to
> support the variety of usecases that MW currently supports and those it
> should support in the future, without requiring tons of hooks or ugly hacks.
>
> Please leave comments and feedback on the talk page :)
>
> Thanks!
> -- Legoktm
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: [RfC] AuthManager

Brad Jorsch (Anomie)
In reply to this post by Tyler Romeo
On Fri, Feb 27, 2015 at 2:38 PM, Tyler Romeo <[hidden email]> wrote:

> and give the users' groups from the authorization provider.
>

Note we have no mention of this in the authentication RFC, since we're
being careful to separate *authentication* (authn) from *authorization*
(authz). We have vague plans to rework authz like we're doing authn here,
but we haven't done more than consider that a possibility for a future
project.

Under the current RFC, an extension that does both authn and authz would
presumably have its AuthenticationProvider store information in the session
that would be used later when authz is done (e.g. in the UserGetRights
hook).


--
Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l