[wp-hackers] Single sign-on with Wordpress & Mediawiki

wordpress at santosj.name wordpress at santosj.name
Wed Oct 31 02:10:46 GMT 2007


My statement was not meant to be ambiguous, OpenID is only authenticating
that the user *owns* the identity, not meant to be a username/password
combination. There have been several talks on this very confusion. The
sites should hold on to the passwords and should only rely on the
authentication for small stuff, comment (instead of of Captcha, or some
other hackish question).

Passport was in fact a username/password combination with single sign on
meant to be used on online store sites. OpenID is not meant to be used
more than on simple tasks, like submitting comments on blogs and small
tasks. If you want something more powerful, you'll actually need to have
the user register and have a separate password for your site which both
you and the user know.

In that last case, no it would not be a single sign on, because you negate
it with the registering and separate password. You know the user is who
they say they are (their IDentity), unless they have a server that sends
back that everyone is who they say they are (which is bad).

You would not say, replace the administration account with OpenID account,
it has far too many permissions.

Jacob Santos

> On Tue, 30 Oct 2007 15:08:45 -0700, "Sneaks" <0vcqn5q02 at sneakemail.com>
> wrote:
>
>> Pardon my ignorance, but given the possible permissions/roles/groups
>> and UI management in each package, how well would a local OpenID
>> server handle these issues and pass authentication to each
>> application?
>>
>> I know the OpenID concept is ideally nice, but I'm more interested in
>> getting a traditional, seamless integration out of these disparate
>> packages. My main concern is the end-user's experience. Security
>> issues aside (not to minimize them), WP seems to make most of the
>> management and authentication process pretty painless.
>
> "Management" == authorization. Authentication != authorization.
>
> OpenID does indeed seem to have at least the capability to handle SSO[1]
> a la Passport (Windows Live ID)[2], despite an earlier claim that it did
> not[3]. If you'll forgive me for not having done my homework, I actually
> had a little trouble tracking down the specs[4] yesterday (I blame sleep
> deprivation ;).
>
> It does not -- and should not -- have any hold on authorization,
> though. That's a per-service thing. Having a standard to allow for
> central management would be nifty, but that wasn't how this discussion
> started out.
>
>
> --
> Travis
>
> In Series maintainer
> Random coder & quality guy
> <http://remstate.com/>
>
> [1]
> http://openid.net/specs/openid-authentication-1_1.html#mode_checkid_immediate
> [2] http://en.wikipedia.org/wiki/Windows_Live_ID
> [3] "OpenID isn't a solution for username/password combinations."
> http://comox.textdrive.com/pipermail/wp-hackers/2007-October/015806.html
> [4] http://openid.net/developers/specs/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>




More information about the wp-hackers mailing list