While upgrading a project from TG 2.1 to 2.2 I noticed that the
"authenticators" setting (a list of custom authenticators) is handled
differently depending on whether "authmetadata" is defined ("new-style
config") or not ("old style").
In new-style configuration, the default authenticator will not be used
at all when custom authenticators are specified, while in old-style
configuration, the default authenticator will be appended.
I think we should re-establish the old behavior. It often makes sense to
prepend additional authenticators to the default one. Of course, you can
always add the default one manually, but it's cumbersome.
Or, we could make it even more flexible by allowing a value of
('default', None) in the "authenticators" list which will be
automatically replaced by the default authenticator. That way you can
specify exactly the position of the authenticator in the chain. I have
already created a patch for this, let me know what you think.