On Fri, Feb 27, 2015 at 2:38 PM, Tyler Romeo <tylerromeo(a)gmail.com> wrote:
and give the users' groups from the authorization
provider.
Note we have no mention of this in the authentication RFC, since we're
being careful to separate *authentication* (authn) from *authorization*
(authz). We have vague plans to rework authz like we're doing authn here,
but we haven't done more than consider that a possibility for a future
project.
Under the current RFC, an extension that does both authn and authz would
presumably have its AuthenticationProvider store information in the session
that would be used later when authz is done (e.g. in the UserGetRights
hook).
--
Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation