Wikimedia (Wikipedia) single sign-on

[Martin Atkins]

Brion Vibber wrote:
> 
> Well, it's not related to OpenID to begin with. ;)
> 
> It would be interesting to support OpenID to allow off-site account
> verification for visitors from another wiki (as an OpenID consumer) and
> to allow such for our accounts on other site supporting OpenID (as an
> OpenID producer), but that has no real bearing on our *internal*
> username space, which will almost certainly *not* be based on, using, or
> related to OpenID.
> 

While I certainly am not fanatically in favour of it, there isn't really
a technical reason why OpenID couldn't be used as the framework onto
which your single sign-on is based. It would provide the inter-server
protocol and save you implementing two separate but quite similar
protocols and implementations for exchanging logins between domains.

This fact can easily be hidden from the user by having a normal-looking
login form which just internally turns the entered username into
something like http://users.wikimedia.org/username/ and lets OpenID run
its course. Have the identity server always trust wikimedia's own
domains and the user won't be any the wiser. Give similar treatment to
the display of wikimedia-shaped identity URLs to make them appear as
first-class citizens.


I shant try to claim that in your situation I'd implement it as above,
though. I'm far from the idealism necessary for that. More likely I'd
just have all of my MediaWiki installations share the same user and
session databases and use tiny inline frames on the login form to
transfer the session cookie automatically to the six (or so) other
domains with no further action from the user. Much easier.

I really just wrote the above for the benefit of anyone passing by
trying to solve a similar problem, to make it clear that there's not
really any technical reason why you can't pretend you're not using
OpenID if you want to.