Hello, Yannick Gingras wrote: > First things first, I need to pick an authentication and authorization > solution. Last time I checked, around December, Authkit had a fancy > decorator syntax but it was a bit ill documented and featured many > strange way of authentication that obscured the most straight forward > solution for most people. For that reason, many went the way of > rolling they own authentication. Has anything changed since then? Not really. I should say that AuthKit is great tool but only up to some degree. Since it is written by genius you need genius to support it. Since AuthKit's author has many other problems/works to do AuthKit becomes second class citizen.
The main authentication mechanism I'm using is OpenID. AuthKit's OpenID implementation is terrible. I have send some patches to author but later I have seen that it is impossible to fix some problems at all. E.g. in order to set expire cookie properly you should set two arguments to same delta or date, because AuthKit OpenID handler uses two session objects (while one is named cookie handler). How have I solved this problem? I have decided to split AuthKit into several independent parts. I was not going to reveal my work to public yet but because you have raised this question here what I have now (the main problem that it is even worse documented than AuthKit): http://hg.sandbox.lt/authopenid-middleware/ - OpenID authentication WSGI middleware. The main thing I'm working on. I have written Trac OpenID plugin so I'm just moving my experience from one product to other. http://hg.sandbox.lt/openidprovider-middleware/ - OpenId provider WSGI middleware. I have written this one to be able unit-test authopenid-middleware while it is possible to extend this one to product of its own. Here is examples of two OpenID servers: http://hg.sandbox.lt/openidprovider-middleware/file/tip/examples/ - one allows everything, other demonstrates combination of several middlewares (I must say I began *LOVING* WSGI). http://hg.sandbox.lt/authform-middleware/ - Form authentication WSGI middleware. Very simple middleware demonstrating how easy is to write authentication middleware. Very early stage. http://hg.sandbox.lt/authorize-middleware/ - authorize middleware. Very early stage. And again I will say that AuthKit is amazing piece of software and you can use AuthKit authorization mechanisms with my authentication middlewares. The main problem is that I don't have yet clear vision how middlewares should be written properly and how they should pass information to other middlewares. If you have time to analyze my middleware you can see that I have slightly different vision how authentication middlewares should work. What I would like to see is some standardization of authentication middleware. Authorization is easy part when you have authentication implemented properly. Standardization would allow Pylons' users not depend on one authentication/authorization vendor (AuthKit in this case). In general I invite everyone to discuss this problem because it is really serious problem in Pylons. If you like my approach I invite to take work on one of my middlewares (because I'm busy person as well) and fork it. That's what open source is about and distributes VCS (in this case mercurial) allows us to do after all. That's why I have splitted AuthKit - because it is too complicated to support it (written by genius and author is busy person). > I will need to support both basic HTTP authentication for our RESTful > API and "forward style" auth for our "human" web interface. Users are > going to come from either the application database or from LDAP. It's > OK to use PAM as a proxy to LDAP since that generally makes > configuration a bit less ugly. (Can we configure auth wiht PAM on > MacOS?) I liked Authkit's decorator syntax; if there is anything > simple like that, it would be great. Use AuthKit. As I have said it is easy to implement authentication middleware and make it compatible with AuthKit authorization (decorators). It seems you will need to write one because there is no (or at least I have not seen) LDAP authentication middleware. While for authorization use AuthKit (or join my work on http://hg.sandbox.lt/authorize-middleware/) Regards, Dalius --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
