Allowing authentication to work over multiple subdomains?
170 views
Skip to first unread message
Iain Duncan
May 16, 2012, 3:36:15 PM5/16/12
to pylons-...@googlegroups.com
Hey folks, we have a pyramid app that responds to multiple subdomains and routes accordingly, with the account being chosen based on the subdomain but all code running through the same engine
http://iain.cloudapp.com -> app knows to return Iain's data
http://snufkin.cloudapp.com -> app knows to use snufkin's data
Accounts can allow access to other account's if the user has been given that privilege. IE, Iain should be able to login, work on iain.cloudapp.com, and switch to glyn.cloudapp.com if he's allowed, but *without* having to login again. Iain should be able to login by either going to www.cloudapp.com or iain.cloudapp.com.
We're using the default pyramid authentication system, and as it is out of the box, if I switch subdomains I'm not treated as logged in. Can anyone point me in the right direction for making the auth system consider all subdomains of cloudapp.com act like the same domain?
thanks!
Iain
Jason
May 16, 2012, 4:25:19 PM5/16/12
to pylons-...@googlegroups.com
Pyramids auth ticket implementation sets the auth cookie on *.example.com and example.com
In order for it to work across subdomains it must also set the auth cookie on .example.com (notice leading dot). I had to create a custom authentication policy to do this. There is a closed pull request that outlines the required changes, see the pylons-devel thread about it at https://groups.google.com/forum/?fromgroups#!topic/pylons-devel/Z8sUxc9QOaM
-- Jason
Jason
May 17, 2012, 9:13:17 AM5/17/12
to pylons-...@googlegroups.com
On Wednesday, May 16, 2012 4:25:19 PM UTC-4, Jason wrote:
On Wednesday, May 16, 2012 3:36:15 PM UTC-4, Iain Duncan wrote:
Thanks Jason. If you don't mind sharing how you did it, that would be great.
thanks!Iain
Jason
May 17, 2012, 9:16:35 AM5/17/12
to pylons-...@googlegroups.com
Ugh Google Groups Post button is too close to the bottom of the text box.
Here is a gist of the authentication module needed to get the correct wildcard domain support: https://gist.github.com/885d5b21295bc4fb192d
In your project __init__.py you use it the same way you would use Pyramid's authentication policy, but with one extra argument:
import myproject.lib.AuthTktAuthPolicy
authn_policy = AuthTktAuthPolicy(
callback=principal_finder,
secret=settings['auth.secret'],
cookie_name=settings['auth.key'], sibling_domains=True)
config = Configurator(settings=settings, authentication_policy=authn_policy)
Maybe one day I will make this a proper plugin, but this will get you going for now.
--Jason
Alejandro Jatib
Jun 29, 2012, 6:45:15 PM6/29/12
to pylons-...@googlegroups.com
Hi Iain,
Can you explain how you resolve this part "a pyramid app that responds to multiple subdomains and routes accordingly, with the account being chosen based on the subdomain but all code running through the same engine"??
Can you explain how you resolve this part "a pyramid app that responds to multiple subdomains and routes accordingly, with the account being chosen based on the subdomain but all code running through the same engine"??
How route dynamic routes from different to different "accounts" (meaning different db with account's data) ??
I try with some code examples but i can't do.
Thanks!
Reply all
Reply to author
Forward
0 new messages