Page MenuHomePhabricator

User account which acts as OpenID identity must have also a password associated when $wgOpenIDOnly==true
Closed, ResolvedPublic

Description

A problem arises when a wiki with the OpenID extension is set to allow OpenID logins only ($wgOpenIDOnly=true), and when a user page url shall serve as OpenID identity to another (wiki, non-wiki) site, and when no password is set in the user's account.

The authentication process which is initiated by the other site then talks to our wiki with the extension and prompts the user for their password - if they are not logged in by cookie or session.

But there is no possibility for users to assign a password by themselves because normal logins are disabled when having $wgOpenIDOnly=true.

There is also no way to let simply a temporary password be mailed, because users cannot access the standard login page.

I will find a solution to this dilemma.

Also the theoretically possible solution "user must first login to the Wiki usign OpenID and "change" their password does not work, because this currently requires the knowledge of the "old" password - but there is no which is known to the user"

(filed for better tracking)


Version: unspecified
Severity: major
URL: http://www.mediawiki.org/wiki/Extension:OpenID#Using_a_MediaWiki_account_as_an_OpenID_.28MediaWiki_as_OpenID_Server.29
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=29135

Details

Reference
bz29027

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:35 PM
bzimport set Reference to bz29027.

fixed in r88848 .

When having the OpenID extension, the preference window basic information is changed. The section "Password" shows now links to

case i) Change Password and Reset Password:

if a password already exists

case ii) Reset Password only:

if no password has been set for this account yet, because the user opened their account by OpenID - which setPassword( null )

This is at least one possible way and avoids modification of Special:PasswordReset (there is no login page when only OpenID logins and account creations are possible ($wgOpenIDOnly==true) or Special:ChangePassword pages.