Scope and Vision
Clark C. Evans
being the project leader on such an important project. My involvement
in AuthKit is two fold. First I had added HTTP Digest and CAS modules
to paste.auth a while back, and James has been kind enough to include
that code (with updates!) in his product. Second, I hope to
contribute resources to growing authkit since it will be used (as an
upgrade to paste.auth) in our Research Exchange Database. Hence, I'm
opening with a quick discussion of the scope and vision for the
project.
I'd like to see AuthKit to be "the" WSGI Python toolkit for adding
authentication services to an application service. To this end, I'd
like to see not only HTTP Auth support, but also, as Ben Bangert and
James Gardner have been doing, support for OpenID and other Single
Sign-On ("SSO") services. Ideally this includes support, not only for
authentication, but also for logging out (ie, de-authenticating a
browser). To this end, as soon as this project is "production ready",
I'd like to depreciate paste.auth and redirect its users to this
package.
Since our organization deals with multiple Universities, I'd also like
to see AuthKit handle multiple-authentications at a single site. This
support is two-fold, the first is supporting a plurality of single
sign-on service systems, and having those tested with actual
deployments of those systems in a Organization's context. I'd like to
see a "driver" model, where a user of AuthKit doesn't even need to
know the authentication system, but instead can specify the
organization and all of the information (in a configuration file) of
AuthKit including the specific authentication protocol and its
configuration (servers, URLs, etc.) can be recalled and automatically
used.
A few months from now, I'd also like to see a "meta authentication"
layer, where a user coming to the site is given a choice of
"authentication source" they wish to use (perhaps using their IP
address range and a cookie to remember a default. The REMOTE_USER
would then be the user ID of that source, but we'd also introduce a
REMOTE_USER_AUTHORITY or some other environ tag which specifies which
one of the services they used to authenticate with. The advantage of
this system is that "visiting" users from one university can be given
guest access (or even permanent access). This sort of system should
enable collaborative services in the sciences and, in particular in
the medical field.
Thank you for your time!
Clark