In Pyramid authentication, once you assign the cookie, subsequent requests have the following work to do:
- Read the cookie, decode it, and extract the user id - The groupfinder callback then looks up in a database or something to get the principals associated with that user id You can fake the groupfinder function and just return from an in-memory set of users and groups. The tutorial link below does that. But you still need an authentication policy which will extract and return a user id from the cookie. Here is an example of a custom authentication policy: http://pyramid-cookbook.readthedocs.org/en/latest/auth/custom.html <http://pyramid-cookbook.readthedocs.org/en/latest/auth/custom.html> It uses a helper for managing the cookie: http://docs.pylonsproject.org/projects/pyramid/en/latest/_modules/pyramid/authentication.html#AuthTktCookieHelper My guess is, you’ll have to take ownership of a replacement cookie helper. —Paul > On Jul 4, 2015, at 10:03 AM, Matheo <[email protected]> > wrote: > > I actualy only check the signature of the named JWTcookie and if I can decode > it, then alows the user to continue or not. > > But I'm not sure it's a good behavior, there isn't actualy any match-test > with the server. The userid shouldn't be stored somewhere on the server side > in order to make a match? If yes, where should I store it? I really don't > find reading pyramid's code. (and I'm new to security) > > Thank you! > > I will certainly paste the code once cleaned. > > > > Le jeudi 2 juillet 2015 16:32:35 UTC+2, Paul Everitt a écrit : > > Is your JWTAuthTktCookieHelper successful in setting > request.authenticated_userid? > > Pyramid keeps a pretty nice separate between authentication, permissions, and > ACLs. I suggest you use this to your advantage. First, make sure that your > authentication works and ignore authorization. Here’s the step in the Pyramid > quick tutorial that does authentication without worrying about authorization > (or databases): > > > http://docs.pylonsproject.org/projects/pyramid//en/latest/quick_tutorial/authentication.html > > <http://docs.pylonsproject.org/projects/pyramid//en/latest/quick_tutorial/authentication.html> > > If you can get that tutorial step working with your JWT-in-cookies (meaning, > after login, you can print request.authenticated_userid), *then* worry about > authorization and databases. > > —Paul > >> On Jul 2, 2015, at 9:33 AM, Matheo <[email protected] >> <javascript:>> wrote: >> >> Hello, >> >> I don't understand verry well how authentication/authorization works with >> pyramid. I mean, how the server remembers if the user can access or not to a >> classic root like that for instance : >> >> @view_config( >> route_name='core/currentUser', >> renderer='json' >> ) >> >> #default permissions already setted to read : >> config.set_default_permission('read') >> >> >> And after the user has already passed the login check function : >> >> @view_config( >> route_name=route_prefix+'login', >> permission=NO_PERMISSION_REQUIRED, >> request_method='POST') >> def login(request): >> user_id = request.POST.get('user_id', '') >> pwd = request.POST.get('password', '') >> user = DBSession.query(User).filter(User.id==user_id).one() >> if user is not None and user.check_password(pwd): >> headers = remember(request, user_id) >> response = request.response >> response.headerlist.extend(headers) >> transaction.commit() >> return response >> else: >> transaction.commit() >> return HTTPUnauthorized() >> >> >> Acutally I want to overwrite the authentication system in order to use a >> Json Web Token cookie. >> This post presents what I want to do : >> https://github.com/ajkavanagh/pyramid_jwtauth/issues/9 >> <https://github.com/ajkavanagh/pyramid_jwtauth/issues/9> (mine) >> I started among other stuff to write a JWTAuthTktCookieHelper class in order >> to keep more or less the AuthTktAuthenticationPolicy behaviors (remember >> function) but with a JWT cookie and through the JWTAuthenticationPolicy >> <https://github.com/ajkavanagh/pyramid_jwtauth/blob/master/pyramid_jwtauth/__init__.py> >> (optional, I can extend AuthTktAuthenticationPolicy). I'm not sure it's >> enought, I don't see how the permissions are keeped server side, is it via a >> session? >> >> Hopping to be clear. >> Thank you! >> >> (be back on saturday) >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at http://groups.google.com/group/pylons-discuss >> <http://groups.google.com/group/pylons-discuss>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at http://groups.google.com/group/pylons-discuss > <http://groups.google.com/group/pylons-discuss>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
