[xwiki-devs] [gsoc] Re: Single Sign-On project

[Markus Lanthaler]

Hi Thomas!

> I would say if OpenID is turned off then users created for OpenID or
> attached to OpenId are unusable to authenticate if they don't have any
> XWiki password. The default authenticator does not allows users to log
> with empty passwords, this is enough to protect them I think. This
> could be used when the administrator want to easily disable wiki
> modifications for maintenance for example.

Well, but that's not the only consequence. If you issue OpenID URLs (so that 
XWiki acts as the OpenID provider).. The users loose also access to all 
other websites where they used the XWiki OpenID URL. So we have to be very 
very careful about a "switch-off feature". I would suggest to enable/disable 
OpenID support during setup. If someone then really wants to turn it off he 
has to do that somehow manually (not through a GUI).


> If we want to support only OpenID, OpenID4Java seems the better way to
> do that in the short term for you to be sure to finish your GSOC. Now
> in the long term we would surely choose one of the framework available
> to easily add other supports latter I think... I seen that ESOE
> provide a generic Confluence / Jira Integrator but can't find any
> source/description.

Yes that's clear. The thing that I don't understand is how exactly you would 
see support of one of these frameworks!? Does that mean that such a 
framework will be bundled and shipped with XWiki by default or that it is 
just an option? The frameworks are quite complex and setting them up 
properly isn't so easy as it seems at the first moment.


>> If it's OK for you I would start creating the architecture and describe
>> detailed how I would like to implement OpenID support with a OpenID 
>> library
>> the next days. Then ask for some feedback on that and finally begin to
>> implement this. My last exam is next Monday (July, 7th) so afterwards I'm
>> finally free to work exclusively for XWiki :-)
>
> OK great.

Just to be sure: Does that means that it is OK to start with OpenID 
integration using OpenID4Java? Or do you prefer Netmesh? As far as I know 
OpenID4Java is kind of the standard library used. On the other side Netmesh 
supports also LID (a similar protocol to OpenID created by Netmesh).