| | |
| | | You can register a plugin as willing to act as an "identifier". An |
| | | identifier examines the WSGI environment and attempts to extract |
| | | credentials from the environment. These credentials are used by |
| | | authenticator plugins to perform authentication. In some cases, an |
| | | identification plugin can "preauthenticate" an identity (and can thus |
| | | act as an authenticator plugin). |
| | | authenticator plugins to perform authentication. |
| | | |
| | | |
| | | Authenticator Plugins |
| | | +++++++++++++++++++++ |
| | |
| | | downstream application in the ``repoze.who.identity`` environment |
| | | variable. |
| | | |
| | | |
| | | Metadata Provider Plugins |
| | | +++++++++++++++++++++++++ |
| | | |
| | |
| | | adding arbitrary information to the identity dictionary for |
| | | consumption by downstream applications. For instance, a metadata |
| | | provider plugin may add "group" information to the the identity. |
| | | |
| | | |
| | | Challenger Plugins |
| | | ++++++++++++++++++ |
| | |
| | | decides a challenge is necessary. A challenge might consist of |
| | | displaying a form or presenting the user with a basic or digest |
| | | authentication dialog. |
| | | |
| | | |
| | | Default Plugin Implementations |
| | | ------------------------------ |
| | |
| | | authenticator plugins, metadata provider plugins, and challenge |
| | | plugins. |
| | | |
| | | |
| | | Writing An Identifier Plugin |
| | | ++++++++++++++++++++++++++++ |
| | | |
| | |
| | | def __repr__(self): |
| | | return '<%s %s>' % (self.__class__.__name__, id(self)) |
| | | |
| | | |
| | | .identify |
| | | ~~~~~~~~~ |
| | | |
| | |
| | | sql ``IAuthenticator`` plugins). If an ``IIdentifier`` plugin finds |
| | | no credentials, it is expected to return None. |
| | | |
| | | An ``IIdentifier`` plugin is also permitted to "preauthenticate" an |
| | | identity. If the identifier plugin knows that the identity is "good" |
| | | (e.g. in the case of ticket-based authentication where the userid is |
| | | embedded into the ticket), it can insert a special key into the |
| | | identity dictionary: ``repoze.who.userid``. If this key is present in |
| | | the identity dictionary, no authenticators will be asked to |
| | | authenticate the identity. This effectively allows an ``IIdentifier`` |
| | | plugin to become an ``IAuthenticator`` plugin when breaking apart the |
| | | responsibility into two separate plugins is "make-work". |
| | | Preauthenticated identities will be selected first when deciding which |
| | | identity to use for any given request. Our cookie plugin doesn't use |
| | | this feature. |
| | | |
| | | .remember |
| | | ~~~~~~~~~ |
| | |
| | | headers need to be returned. In our example InsecureCookiePlugin, the |
| | | "old state" is ``cookie_value`` and the "new state" is ``value``. |
| | | |
| | | |
| | | .forget |
| | | ~~~~~~~ |
| | | |
| | |
| | | method to one that expires in the past (on my birthday, in fact). |
| | | This header will be tacked onto the response headers provided by the |
| | | downstream application. |
| | | |
| | | |
| | | Writing an Authenticator Plugin |
| | | +++++++++++++++++++++++++++++++ |
| | |
| | | ``interfaces.py`` file in :mod:`repoze.who` as the ``IAuthenticator`` |
| | | interface, but let's examine this method here less formally. |
| | | |
| | | |
| | | .authenticate |
| | | ~~~~~~~~~~~~~ |
| | | |
| | |
| | | requires them to do "real work" it returns None if they are not |
| | | present instead of raising an exception. This is required by the |
| | | ``IAuthenticator`` interface specification. |
| | | |
| | | |
| | | Writing a Challenger Plugin |
| | | +++++++++++++++++++++++++++ |
| | |
| | | will be consulted during "egress" as necessary (the first one to |
| | | return a non-None response). |
| | | |
| | | |
| | | .challenge |
| | | ~~~~~~~~~~ |
| | | |
| | |
| | | "WWW-Authenticate" header like ours, then it returns an instance of |
| | | HTTPUnauthorized, passing in merged headers. This will cause a basic |
| | | authentication dialog to be presented to the user. |
| | | |
| | | |
| | | Writing a Metadata Provider Plugin |
| | | ++++++++++++++++++++++++++++++++++ |
| | |
| | | if info is not None: |
| | | identity.update(info) |
| | | |
| | | |
| | | .add_metadata |
| | | ~~~~~~~~~~~~~ |
| | | |