OpenID provider

For support of non-MediaWiki applications, especially Toolforge, it would be nice to have an OpenID provider. This article is a planning document for adding a provider to the Wikimedia projects.

Summary
Every user has an identifier at Special:OpenIDIdentifier/&lt;user-id> based on their user id. Their user page URL can also be used as an identifier, but it will delegate to their user id based URL. The OpenID provider also provides a discovery identifier URL at Special:OpenIDServer/id.

User-provided Identifiers
User provided identifiers will either be a claimed identifier, or the OpenID Provider Identifier.

OpenID Provider Identifier
The OpenID extension provides an identifier at Special:OpenIDServer/id that can be used to discover a user's claimed identifier.

Claimed Identifiers
A user's user page URL can be used as a claimed identifier. This claimed identifier will delegate to the OpenID Provider Local Identifier.

OpenID Provider Local Identifiers
Each user has a local identifier, based on their user id, located at: Special:OpenIDIdentifier/&lt;user-id>. This location can be rewritten to any required url.

Summary
A user can provide their identity via their user page, or via a generic discovery url. A relying party can discover a user's identifier by using the discovery url.

Detailed explanation
Depending on the configuration of the relying party, authentication will be initiated in a few common ways:


 * 1) Claimed identifier
 * 2) * A user enters a user page URL into an OpenID form field
 * 3) OpenID Provider Identifier
 * 4) * A user clicks a link/image that initiates discovery of the user's identifier
 * 5) OpenID Provider Identifier
 * 6) * A relying party forces authentication via the provider identifier, which initiated discovery of the user's identifier

In the case of a user providing an identifier based on a user page, the user page will delegate the identity to a OpenID Provider Local Identifier; a user can also directly provide the OpenID Provider Local Identifier as a claimed identifier. In both other cases, the relying party will use the OpenID Provider Identifier to discover the user's OpenID Provider Local Identifier.

Centralized identity location
Rather than running OpenID as a provider on all wikis/projects, we should have a centralized provider. This has a number of benefits:


 * 1) We can limit the OpenID extension to a single wiki
 * 2) Any changes needed in the future can be limited to a small set of URLs
 * 3) We can lock down the centralized wiki, even possibly making it read only
 * 4) We could also centralize all authentication to this wiki in the future, pointing the login urls of all other wikis/projects to this location
 * 5) We can also use this URL for oAuth trusts

Proposed identity URLs

 * Centralized wiki : https://login.wikimedia.org
 * User pages : https://login.wikimedia.org/wiki/User:&lt;username>
 * OpenID Provider Local Identifiers : https://login.wikimedia.org/ids/s1/&lt;user-id>

The proposal to use ids/s1/&lt;user-id> for the OpenID Provider Local Identifiers is for the following reasons:


 * 1) Rewriting the URL to something non-MediaWiki specific makes it easier to change solutions in the future
 * 2) s1 = scheme 1. If we decide to change how we handle identifiers in the future, we can map old id schemes onto the new id scheme.