Wikimedia (Wikipedia) single sign-on

Brion Vibber brion at
Sat Jun 18 17:44:48 PDT 2005

Rob Lanphier wrote:
> Regarding Wikimedia single sign-on:  The Wikimedia Foundation currently
> has the problem that there are a ton of different servers that they run,
> each with their own user databases (e.g. one for each language of
> Wikipedia, Wikibooks, Wikinews, etc).  They are looking to consolidate
> the authentication and user id namespace.
> There's a spec that's currently underway for this project:
> The log of our IRC conversation should show up here soon:
> I'm only marginally familiar with the OpenID specifications, but it
> looks like there's a good fit.

Well, I'm not totally sure that it is, but it's worth looking at. :)
There are several problems we're trying to solve/prevent/reduce:

1) Having to create an account on each project is annoying
2) Having to log in on each project is annoying
3) Malicious persons registering a username on another project to
impersonate a known user is annoying
4) Legitimate persons registering the same username on different
projects is annoying

Within the Wikimedia system, the simplest thing would have been to start
out with a shared user database for all our projects -- this avoids
problems 1, 3, and 4, and allows cookie transfer or whatever to deal
with 2 relatively transparently.

But sadly we didn't do that initially, and transitioning to such a
system creates conflicts that are difficult to resolve automatically
(with thousands of active users and hundreds of thousands of registered
accounts, manual resolution by admins is something we want to minimize).

The next simplest way is to create a new parallel user space which is
shared between all our projects, and encourage/force migration of
accounts to that shared space. This, too, is fraught with peril:

* If you allow a gradual migration rather than an immediate switch, how
do you visually distinguish account types? (if at all)
* How should usernames be displayed such that they don't suck?
* Where do user home pages go? Do you change the old links or do they
still work?

If we're trying to migrate all accounts, and we want the accounts to
feel natural on all our projects, then a 'foreign' URL-based reference
like [[User:Brion at]] is
going to suck supremely. :)

More generally though, support for OpenID for authenticating users
to/from outside our system would be useful. For example, the Los Angeles
Times recently set up some sort of editorial wiki site. When somebody
drops in and makes comments claiming to be Jimmy Wales, founder of
Wikipedia, it would be nice for Jimmy to be able to prove it (or an
imposter not to!) :)

So I certainly would like to see a future extension for using MediaWiki
sites as an OpenID producer (yes, so-and-so has this account at this
wiki) and consumer (yes, so-and-so editing here has that account at that
wiki). For this kind of 'foreign' authentication, a funky-looking magic
username would be acceptable moreso than for our internal use.

I don't know if we could use it internally though.

-- brion vibber (brion @
Wikimedia Technical Whoozawhatsit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url :

More information about the yadis mailing list