Develop/Single sign on

The OpenStreetMap project would ideally support single sign on across the editing interface, the wiki, and the other systems. Several different types of Accounts are in use. Unification of the logins/accounts would, of course, be a good idea. It has been discussed before, but it's a bit of development effort which hasn't happened yet. There are also complications around policies for changing user name.

A basic discussion of what is involved in any single sign-on scheme, technically, is here: https://lists.openstreetmap.org/pipermail/dev/2008-November/012859.html

People involved

It would be nice to have a list of persons who are actively working on this issue and what they are doing. Perhaps you should also make a note at the general People involved Page

• User:Lambertus successfully integrated the forum. It now requires a main OpenStreetMap account to post replies or start new discussions.
• Miurahr is the owner of OSM Japan, japanese promotion site. Miurahr 07:07, 7 August 2008 (UTC)
• User:Chriscf is having a stab at integrating the wiki - OSM AuthPlugin.

  This needs testing, and I've set up a test wiki to do just that. Chriscf 13:59, 29 September 2008 (UTC)

Services

For a list of services look at the Account page.

Proposals

OpenID

One proposal was to make everything support OpenID. This could run alongside, as an alternative login mechanism for people who want single sign on.

• For the wiki we'd just have to install the MediaWiki OpenID extension.
• For trac (bug tracker) we'd just have to install the trac OpenId plugin
• For the main website there is a test branch running at openid.dev.openstreetmap.org that supports OpenID

Some installation effort, but zero development effort!

(google for OpenID discussions)

Full on integration

All methods of the OSM Protocol require the basic HTTP authentication i.e. username & password are sent (unencrypted) in the request header for every request. See HTTP Protocol Specification#HTTP-Authentication for more detail.

You can try this out with your browser by calling the user/details method

Some original notes by Rickm and Dee who were originally planning something:

Set up single sign on, base table in OSM

• Create Mediawiki extension to authorise via OSM, so only one username/pass are needed
  

Leaves a problem of matching emails to MW accounts and OSM "Display names".

• Create phpBB code to authorise via OSM. start of coding
• Make it so all sites use a single cookie to store sign on data, so only logging in once or less per session is needed

Kerberos

http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

http://upload.wikimedia.org/wikipedia/de/2/25/Kerberos_schema.png

Kerberos support for Mozilla Browsers

http://negotiateauth.mozdev.org/

Apache Kerberos support

http://modauthkerb.sourceforge.net/

OAuth

OAuth may help us to achieve single sign on, although we will still encounter some of the tricky problems with usernames between the two systems. Essentially we will be implementing full on integration, with OAuth as mechanism to pass tokens between the apps. OAuth is something we have implemented on OSM accounts anyway, for other reasons (for authorization of 3rd party apps) Using OAuth for single sign on with the wiki may now be possible

See also

• Wiki
• Web front end