On Fri, May 16, 2014 at 4:38 PM, MZMcBride <z...@mzmcbride.com> wrote:
> Chris Steipp wrote: > >Accounts are kinda namespaced, so github user foo and sul user foo can > >both have phabricator accounts. > > > >Since we're using OAuth though, that requires a global wiki account so > >local only accounts would not be able to join. So we probably need > >password or LDAP auth at minimum. > > I suppose you could rely only on global (in the CentralAuth extension > sense) accounts, but it really would make sense for Wikimedia to get its > own house in order first: we should finish fully unifying login across > Wikimedia wikis before delving into concurrent authentication systems. > > Yes, let's please. But that's another thread. I'm less concerned about non-unified accounts than I am about the other (much more obvious) problem of "how do we use Phabricator if the cluster is down." Ryan suggested Labs LDAP and I agree, it's a very sane fallback. It's very unlikely for the cluster *and* LDAP to be down at the same time, and if they are it's probably network-related and we'll be screwed on using Phabricator anyway. > I think this mailing list thread suffers from an analysis of what the > potential negative consequences of allowing third-party login are. The > positive to users (one less username and password to remember) is clearer > to see. What are the drawbacks of doing this? I'd like to see the pros and > cons outlined on mediawiki.org or meta.wikimedia.org. > > The positive side of "I can use one less login" is nice, don't get me wrong. I'm mostly worried about security issues in 3rd party implementations of oAuth that we can't control. I asked Chris S. about this earlier today and I hope he'll expand on this some more--especially concerning to me was the concrete example he gave with Facebook's own oAuth. Also he mentioned that Twitter's oAuth is known to be insecure in its implementation. Depending on how Github's oAuth is implemented that's the one I could see the strongest case being made for. Enabling all of them seems like it'll just make the login page cluttered with options used by about 1-2 people each but I could be wrong. -Chad _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
