Have an user account that can be user in several (all) wikis.
see also: WikiPassport
Scenario
JohnDoe has an account in WikiA and visits WikiB. WikiB should treat JohnDoe as known user and get some user prefs. Then he moves from WikiB to WikiC in which he also don't have an user account.
Open questions
Most technical issues are solved. But there still are a lot of open questions about how this feature should work:
- Should the imported accounts be the same as manually generated accounts?
- What about name collisions
- What about a shared home page
- external home page feature needed?
- What about the email address? Simply ship it too?
- How to deal with the passwd hash? Other Moin engines could use it other engines most likely not.
- generate the account without a passwd?
- Is synchronization between the accouts a good idea?
Possible implementation
WikiPassport action
- without parmeters:
- if logged in: Export account
- list of trusted wikis
- may be additional list of all wikis in the interwiki map
- may be additional text input for URLs
- Import account data
- list of wikis /URLs text input
- if logged in: Export account
with user, passwd
if logged in: show UserPreferences with new values
- if not logged in: create new account
- without parmeters:
Data formats
see WikiPassport for some discussion
How to move the account from wikiA to WikiB?
- Use an URL parameter in links generated by WikiA
- add to all interwiki links
- or offer link list to all supported wikis (macro or action)
?user=MoinMoin:JohnDoe&key=761237162537 ?
key is a onetime pad or any other kind of secret
- How do you want to generate it? I think this is the most important issue of this topic - if it is not save, you could read personal data or even passwords.
- simple solution would be SHA(UID + TIMESTAMP)
- for more security a random number could be used but this needs more book keeping
- Why does it need more bookkeeping? You have to store the timestamp as well.
- No you don't. You simply assume that the time doesn't change (or only changes by one).
- Then it is a static salt and not a timestamp.
- No you don't. You simply assume that the time doesn't change (or only changes by one).
- Why does it need more bookkeeping? You have to store the timestamp as well.
- How do you want to generate it? I think this is the most important issue of this topic - if it is not save, you could read personal data or even passwords.
WikiB checks if key is valid via xmlrpc call .getUser(username, key)
- WikiA and WikiB must know each other to resolve the interwiki names
- WikiA and WikiB must trust each other that they do not missuse the user data
- returns dict with user data or error message
- does not return password/pasword hash
- could return a "emailpasswd" insted of the email adress that allows to send emails to the user via xmlrpc
External login
User inserts InterWiki user name into WikiB and presses "login"
- WikiB redirects to WikiA (extended userform action?)
- params: username, interwikiname of external wiki (WikiB)
- if user is logged into WikiA (cookie)
- if user allowed tranfere of user data (preferences): redirect to WikiB with user, key URL param
- else ask user if sending the account data is ok
- else ask user to authenticate then redirect to WikiB with user, key URL param
- proceed as above
Move account from WikiB to WikiC
Use URL parameter user=MoinMoin:JohnDoe without key
- WikiC redirects to WikiA
- proceed as in "External login"
Syncronisation
- Keep only pointer to "home account" or create a local account with copied data?
- Sync from time to time?