[wp-hackers] Single sign-on with Wordpress & Mediawiki

Jacob wordpress at santosj.name
Sun Oct 28 23:30:03 GMT 2007

Travis Snoozy wrote:
> On Sun, 28 Oct 2007 15:21:01 -0700, "Robin Adrianse"
> <robin.adr at gmail.com> wrote:
>> I'm talking about real-life, apparently...
> I reject your reality and substitute my own. ;)
>> the possiblity of having standards for these kind of things is pretty
>> slim. Very slim, in fact. Anyone who says otherwise (OpenID) is a bit
>> of an optimist to say the least. OpenID, while a great idea, isn't
>> going to catch on easily with the general public. A tool with only a
>> few geeks (technologically aware people) using it isn't going to make
>> a huge impact.
> That's another issue altogether. OpenID is for a larger problem space
> (single sign-on *across sites*), and that idea has already been shown
> to be more-or-less a bust (can you say Passport?).

Stop. Passport had more drastic issues than that and should not be 
referenced based on Passport. The primary reason it failed can be 
researched, but regardless, subsequent security issues didn't help. 
OpenID isn't a solution for username/password combinations.

> From what I'm hearing, the current practice (hacking up a whole bunch
> of products as-needed so that they work off the same auth tables) is
> just one step away from this. Just abstract the auth logic out into a
> couple function calls, and voila -- you have a unified (single-site)
> auth architecture. It's a whole hell of a lot easier to write it
> once to patch into products vs. rewriting the whole thing for every new
> integration. It's not idealistic, it's pragmatic.
This in theory makes sense, but no one is going to do it. Good luck anyway.

The solution is not to revert to a standard where everyone uses the same 
library/function calls, but offers API, like WordPress does for cross 
web app authentication. Several major applications already do this by 
way of creating specific cookies or calling a web application specific 

The problem is that web applications can know or don't care which 
primary web application the user chooses. They can't spend the time on 
that. Their primary concern is allowing for others to use their methods 
(functions/classes) for single site sign on.


Jacob Santos

http://www.santosj.name - blog
http://wordpress.svn.dragonu.net/unittest/ - unofficial WP unit test suite.

Also known as darkdragon and santosj on WP trac.

More information about the wp-hackers mailing list