Thread:Talk:Requests for comment/AuthManager/Feedback/reply (3)

Your use of "authentication" and "authorization" is confusing, as often happens when thinking about authn and authz. You can often break down "authn" into further "authn+authz" pieces to the point of craziness like "authn says 'This user is Anomie' and authz says 'This user is allowed to be Anomie, based on the password they supplied'". It sounds to me like you may have broken things down to that point. From MediaWiki's perspective both authenticating the user against the central identity manager and checking if that centrally-authenticated user is authorized to access this wiki are part of authn, so why not just do both steps inside a single AuthenticationProvider? But if you didn't want to do it that way, you could have your first step be the PrimaryAuthenticationProvider and your second step be a SecondaryAuthenticationProvider to fit into the model of this RFC.

You might still need an authz component to your extension if the central identity provider also has functionality like CentralAuth's global groups, but that's outside the scope of the current RFC.