[00:21:50] csteipp: that line only gets called if the consumer key is not provided explicitly as an URL parameter [17:13:40] csteipp (also tgr|away): Regarding PasswordDomainAuthenticationRequest, can we just kill it entirely and rewrite LDAPAuth to use usernames like "user@domain" (or "user%domain" or "user#domain" or "domain >>> user" or whatever) instead? A case like wikitech could interpret just "user" by appending a default domain. [17:14:08] anomie: I'd support that [17:14:34] Maybe ping Ryan_Lane and check, but I think it should be fine [17:20:52] csteipp: I replied to your other comments on https://gerrit.wikimedia.org/r/#/c/195297/, BTW. Feel free to reply there or here. [21:58:49] anomie: seems awkward to me, you would need to magic back a select widget in the UI somehow if you want to make it user-friendly [21:59:35] plus, the same local user might have a local password and a linked LDAP account with a domain password, in which case having two different usernames for the same user is a bit confusing [22:01:34] tgr: I don't know, people who have to use domains would just know that they log in as "user@domain" rather than just "user". True, having two usable names for the same user could be confusing, but OTOH this whole "domain" think is probably confusing anyway. [22:03:17] LDAP is confusing, but there are auth plugins (no idea how widely used though) which would use a domain parameter but are easy to understand conceptually [22:03:39] like the one that forwards your password to a remote MediaWiki [22:04:01] (which is a horrible thing to do security-wise but people use it nevertheless) [22:05:16] in those cases a dropdown with "local wiki" and "English Wikipedia" is a lot easier to understand than SomeUser and SomeUser@en.wikipedia.org [22:06:43] OTOH Google Apps uses user@domain usernames and no one seems confused by it... [22:07:42] @ isn't allowed in new usernames in MW [22:07:54] because we use it as a delimiter for interwiki userrights [22:08:05] (which I think is silly, we should just have two input boxes) [22:09:21] The only confusing bit would be if you could use "Bob" and "Bob@somewhere" to log in to the same account. OTOH, with ldap there's already the possibility that you could log into "Bob" as "Bob@domain1" or "Bob@domain2", so maybe it's not any worse. [22:10:42] legoktm: We're discussing getting rid of the separate domain dropdown for LdapAuthentication in favor of making the user type "user@domain" into the username box. (and for wikitech we'd have it assume "user@labs" if just "user" with no @ is typed in) [22:11:00] ooh [22:11:27] so like how google assumes @gmail.com, but you can specify an explicit domain for google apps? [22:11:43] Google assumes @gmail.com? Then yes, like that. [22:16:00] sounds like a good idea to me [22:16:10] people always find the domain box on wikitech confusing [22:16:57] tgr: Anyway, if someone wants to make a "forwards your password to a remote MediaWiki" extension they could always make an AuthenticationRequest with the extra field, and done sanely instead of the weird hacky way PasswordDomainAuthenticationRequest works because it's trying to be general enough to implement AuthPlugin. [22:31:23] @ isn't allowed in new usernames in MW [22:31:27] I think some old usernames still have it? [22:31:32] yes [22:33:38] (which I think is silly, we should just have two input boxes) [22:33:47] It's not that simple, because existing log entries. [22:33:56] no, just for the intput part [22:34:00] input even [23:59:28] dapatrick: any unpleasant surprises in oyejorge/less.php so far?