On Sep 8, 2010, at 1:27 PM, Stephen Waterbury wrote: > Neither the OP nor Glyph use the term > "authorization" in either of their messages, but that concept > is clearly involved and is almost always useful for > clarification.
The checker authenticates; the realm authorizes. Authorization proceeds from the realm's idea of what a particular avatar ID (and, apparently, mind, as laurens has discovered this particular loophole in the API) is authorized to do; authentication proceeds from what the checker thinks makes some credentials valid. As you put it: > Once that interaction is complete, the app knows > the identity associated with the TGT has been authenticated, and > it can proceed with authorization, which of course depends on > each application's context, and is completely separate from > authentication. replace "application" with "realm" here and that's basically how twisted.cred works. The reason I didn't use the term authorization in my original message is that we're talking about an authentication protocol, and hopefully authorization can stay out of it :).
_______________________________________________ Twisted-Python mailing list [email protected] http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
