Confirmed users
358
edits
Services/Authentication: Difference between revisions
no edit summary
(Created page with "{{draft}} = Authentication = == Goal == To allow services apps to authenticate users in a flexible and secure fashion. To ensure apps don't take the "easy way out" and use in...") |
No edit summary |
||
| Line 6: | Line 6: | ||
To allow services apps to authenticate users in a flexible and secure fashion. | To allow services apps to authenticate users in a flexible and secure fashion. | ||
To let us swap in different authentication schemes without changing application code. | |||
To ensure apps don't take the "easy way out" and use insecure schemes like HTTP Basic Auth. | To ensure apps don't take the "easy way out" and use insecure schemes like HTTP Basic Auth. | ||
| Line 14: | Line 16: | ||
In code, the user is represented by a dict of their user data. It will always include the keys "username" and "userid". Applications may also arrange for other keys to be loaded into this dict. | In code, the user is represented by a dict of their user data. It will always include the keys "username" and "userid". Applications may also arrange for other keys to be loaded into this dict. | ||
== Workflow == | == Workflow == | ||
| Line 92: | Line 92: | ||
If no backend is in use (e.g. because users are being authenticated against a third-party service) then these objects will be None. | If no backend is in use (e.g. because users are being authenticated against a third-party service) then these objects will be None. | ||
== Configuration == | |||
== | To use the default authentication setup, you need only configure a user backend. In your application config file, create an "auth" action like this: | ||
[auth] | |||
backend = services.user.sql.SQLUser | |||
sqluri = sqlite:////tmp/account.db | |||
The default configuration will interrogate the backend to see what auth schemes it supports, and will provide all of them. | |||
Finer control over the different stages of authentication can be achieved by configuring individual repoze.who plugins. TODO link to config description. For example the following configuration with authenticate against the user backend using *only* digest authentication. | |||
[who.plugin.digest] | |||
use = repoze.who.plugins.digestauth:make_plugin | |||
realm = 'Sync' | |||
[who.plugin.backend] | |||
use = services.whoauth.backendauth:make_plugin | |||
[who.identifiers] | |||
plugins = digest | |||
[who.challengers] | |||
plugins = digest | |||
[who.authenticators] | |||
plugins = backend | |||