Ok, just sharing in the hopes of feedback. My latest thought for shared auth is something like this:
SSO Login app - Pyramid app that handles login process, has db for looking up users and groups - after lookup, creates a JWT that stores the user id and list of principles Other Apps - have a middleware layer that decodes the JWT token, checks it, and then puts the user id and the list of principles into the WSGI env, much the way repoze.who does - main app(s) uses a RemoteUserAuth policy, handle ACLs from the info in the WSGI env *only*. I like this right now (in my ignorance, lol) because our main apps can be completely ignorant of where identity comes from and if we change schemes, we only have to swap out middleware. But I'm quite possibly still on Mount Stupid. (http://www.smbc-comics.com/?id=2475) So comments welcome! thanks iain -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
