Page MenuHomePhabricator

Support background autologin in MediaWiki core
Open, Needs TriagePublic

Description

In most single sign-on systems, the user can be logged in to the site without any interaction, by freeriding on their existing central login. MediaWiki core does not support that, there are three kinds of approaches for handling it in extensions:

  • Send anonymous users to the login page when they visit the site, rely on the autologin feature (login page automatically gets submitted if it would consist of basically a single button) to make sure they never actually see that happening. (Done e.g. by the OpenID extension.)
  • Use some generic hook like BeforePageDisplay to load a script from the central login page which both serves as the mechanism for checking login status / setting local cookies and updates the current page to a logged-in state. (Done by CentralAuth.)
  • Use some generic hook like BeforePageDisplay to trigger a redirect on anonymous visits, sending the user to the central login page and back. Possible do it via some kind of background mechanism (iframe, invisible pixel) to be less disruptive. (Done by CentralAuth in non-JS fallback mode.)

It would be nice to support something like that in core instead of all extensions having to implement it in their own.