originally filed in https://www.mediawiki.org/wiki/Extension_talk:OpenID#x.24wgOpenIDTrustRoot_35640
Version: master
Severity: normal
Description
Description
Details
Details
- Reference
- bz57478
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | Feature | None | T66475 Make crosswiki bits and pieces truly global (tracking) | ||
| Declined | Feature | None | T15631 Wikimedia should become an OpenID provider | ||
| Declined | None | T31254 [SUGGESTION] Expose group memberships for query through OpenID teams extension | |||
| Declined | Wikinaut | T25735 Allow different user grouping for OpenID users | |||
| Declined | None | T61631 Enable Facebook login on Wikimedia wikis | |||
| Declined | None | T11604 Get OpenID extension to a state where it could be used on Wikimedia projects as a provider | |||
| Invalid | Wikinaut | T59478 MediaWiki as OpenID server: make $wgOpenIDTrustRoot protocol-independent |
Event Timeline
Comment Actions
The question is, whether making it protocol-independent is really safe.
We are talking about the server-side implementation (MediaWiki as OpenID Server).
When the MediaWiki can be accessed via http: _and_ https: in the same way, then the consumer should trust one of them - not both, because the server could deliver different services, depending whether it is accessed via http or https.
So I changed my mind and think, that the $wgOpenIDTrustRoot value should _always_ reflect the actual way, a consumer has authenticated.
Closing as INVALID.