[xwiki-devs] [gsoc] Re: Single Sign-On project

[Markus Lanthaler]

>> * How should the issued OpenID URLs look like?
>> http://www.xwiki.org/xwiki/bin/view/XWiki/UserName seems to be to long 
>> for
>> me. Something like http://www.xwiki.org/user/UserName would be much 
>> better
>> in my opinion. What do you think? Would that be possible with the 
>> existing
>> architecture?
>
> Yes. We can simply map these url to openid servlet in web.xml, I think.

Great


> Also I think we can provide openid account per virtual xwiki for it's
> owner. So for example wiki owners at myxwiki.org will get openid
> accounts like servername.myxwiki.org
> (And I want openid account amelentev.myxwiki.org :))

I would say that's just another "mapping". It would be nice to have all 
OpenIDs as subdomains but I don't know if this is feasible. I think a lot of 
users of XWiki can't create subdomains easily or don't even possess a 
domain!?


>> * What about user recycling, i.e. if a user (Alice) deletes his account 
>> and
>> another one (Bob) creates an account with the same user name afterwards 
>> what
>> should happen? Bob would be able to log-in to all sites on which Alice 
>> used
>> her XWiki account. Yahoo for example solves this by appending a fragment
>> like #fk32j to each OpenID. So the OpenID URL
>> http://www.xwiki.org/user/UserName would become
>> http://www.xwiki.org/user/UserName#fragment
>
> -1
> It dirties a clean openid url. And I don't want to memorize this
> fragment. :)
> Maybe there is some other way to resolve this problem? I think it is.
> For example store some key in openid account and openid consumers also
> check this key when signin. When openid account recreated, key is
> changed. Maybe there is something similar in openid standard?

Well, actually you don't have to remember it. With OpenID 2.0 you don't even 
have to input your whole OpenID. Inserting xwiki.org should be enough. I 
don't know of any other feature that would solve the account recycling 
problem.