matthijskooijman
commented
6 years ago From #5:
If we need single-sign-on for other applications, we can let them authenticate against Arta. We might use openid (which, I think, always requires explicit consent of the user to forward the authentication) or perhaps the CAS protocol (which, I think can work transparently).
CAS is described at https://apereo.github.io/cas/5.2.x/protocol/CAS-Protocol.html and seems fairly simple (authentication redirects to the CAS server, which forwards back to the application, passing a token. The application makes a server-to-server connection to exchange the token for the user data which is used to build the application user session.
https://github.com/jbittel/django-mama-cas has a Django CAS server. It seems there are some client implementations for phpbb.
For providing single-sign-on for EE, we might want to turn Arta into an ID provider to allow other services (wipi, forum) to authenticate to it.
Data migration is an issue here. If we implement this from the start, importing all forum users (see #48), connecting existing forum posts and accounts is easy, doing this later might become tricky.