On Fri, Feb 27, 2015 at 12:38 PM, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
The primary vision I had with this RFC was to separate
the idea of a
MediaWiki user and an external authentication provider.
In other words, an individual is logging in as a local user, and that
user may be associated with one or more external "users". Each external
user is linked via a provider that can authenticate the external user's
credentials and give the users' groups from the authorization provider.
The reason behind this separation is to allow a bit more abstraction
between the local authentication layer and the actual verification of
credentials.
Hopefully we haven't lost that distinction in our revisions. We have
dropped the notion of an ExternalUser class but only as a distinct and
required component. Now each AuthenticationProvider would be
responsible for managing the association of a set of credentials (e.g.
username and password) to a local username. The means by which this
state is managed is left unspecified by the RfC which to us seems
reasonable as it is really an implementation detail of the
AuthenticationProvider. All MediaWiki cares about is that an
AuthenticationRequest can be converted into an AuthenticationResponse
that affirms the provided credentials are valid and indicates the
local User who should be considered the authenticated owner of the
current request.
Bryan
--
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA
irc: bd808 v:415.839.6885 x6855