Topic on Extension talk:OpenID Connect

I'm currently facing the problem of needing to restrict the access to my wiki. I have an identity provider with multiple users, only some of them should be able to access the wiki. OpenID Connect (and my identity provider) supports authorization.

I'm currently evaluating possible solutions. If I'm not mistaken, this extension only supports authentication, but no authorization.

Is there generally a chance of getting authorization functionality with this extension? I might contribute code to this extension to implement this feature, if I decide that this is my best option. But before making this decision I would like to know if you want to have this feature at all or if this extension should just do authentication an nothing more.

This extension depends on Extension:PluggableAuth, which supports both authentication as well as authorization for exactly the scenario you describe: your identity provider can authenticate many users, but only a subset of them are authorized to use a given wiki. PluggableAuth can be configured with one authentication plugin and zero or more authorization plugins. There are currently two authorization extensions that work with PluggableAuth: Extension:Email Authorization and Extension:LDAP Authorization. And, it is not difficult to create your own authorization extension if your domain supports another authorization approach.

Thank you for your answer, I totally missed that. I was only looking at the OpenID extension and didn't thought about Pluggableauth, because I'm using OpenID for authorization too.

Now that you explained this to me, this makes more sense to me. Authorization and authentication are two separate things, handled by two (or more) extensions, which allows more combinations. Like authentication via OpenID Connect but authorization via email address.

For my case, I would need to create an extension, which handles authorization via OpenID Connect.

I'll take a look at it and decide.

Great! If you need any modifications to the OpenID Connect extension to make sure that sufficient information is available to your authorization extension without requiring additional network requests, feel free to propose a patch. It would be great if you were to open source your resulting authorization extension!