pyramid and social auth
132 views
Skip to first unread message
Kesav Kumar Kolla
Jan 2, 2012, 11:40:08 AM1/2/12
to pylons-...@googlegroups.com
Is there any module available for open id and oauth integrating with pyramid? I've looked into velruse but I'm not sure how to get the security principle into the context. Has any one tried openid or oauth with pyramid?
Michael Merickel
Jan 2, 2012, 2:01:28 PM1/2/12
to pylons-...@googlegroups.com
It seems to me you are confused about how pyramid separates authentication, authorization and the login process.
The steps involved here are:
1. Is the user authenticated? This is done by checking if the authentication policy can find valid credentials in a request. If they are then great, skip to step 3, but if not you'll want to have the user login. This is a passive process if your views are protected by permissions. The system saw that there were no user credentials in the request headers, so it raised a HTTPForbidden exception, which you can then catch in an exception view and use to redirect the user to your login page.
2. Redirect the user to your login system. This would be a page that allows the user to select how they wish to login. Great they clicked on the facebook auth button, which redirect the user to velruse.
2a. Velruse is now responsible for taking the user to facebook, having them login, then handling the response from facebook and parsing out the credentials.
2b. Velruse has now come back to your pyramid application and told you that the user is logged in, and here are its credentials. You must take those credentials, and tell your authentication policy to remember them, effectively logging the user into your application.
3. Yay, the user is authenticated! Let's turn that userid into a list of principals describing them and match that up with the ACLs in our resource tree by looking at the __acl__ in our context. If there was an entry in the ACL that matched, check if it's allow or deny. Deny?? Noooo, pyramid raises HTTPForbidden which you can catch in an exception view and determine if they are really not allowed or if they are simply not logged in. Allowed? Yay, the view is called and all is happy.
To be clear you can replace the word "velruse" here with anything that handles telling your application that this user is trusted, and here are their credentials. For example, this may simply be a login form with username/password fields that goes to a view in your app that compares those values with the database. If the values match, then you can go to step 2b.
Does this help?
On Mon, Jan 2, 2012 at 10:40 AM, Kesav Kumar Kolla <kesav...@gmail.com> wrote:
Is there any module available for open id and oauth integrating with pyramid? I've looked into velruse but I'm not sure how to get the security principle into the context. Has any one tried openid or oauth with pyramid?
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pylons-discuss/-/ls45HeowWUEJ.
To post to this group, send email to pylons-...@googlegroups.com.
To unsubscribe from this group, send email to pylons-discus...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
Kesav Kumar Kolla
Jan 2, 2012, 2:11:54 PM1/2/12
to pylons-...@googlegroups.com
Thanks for the explanation. In theory I understand the flow, the only missing point for me is when I setup velruse as a separate app in pyramid how the session is shared between my app and velruse? BTW I'm using beaker and mongodb to store all my session information. When I redirect to velruse app and once login is done how the cred information is going to be available for my main application.
Thanks
Michael Merickel
Jan 2, 2012, 2:15:30 PM1/2/12
to pylons-...@googlegroups.com
I suggest using the unreleased master branch of velruse on github. It has several major changes that make it simpler to integrate with pyramid. In there is also a demo application with a simple pyramid project that uses velruse.
On Jan 2, 2012 1:11 PM, "Kesav Kumar Kolla" <kesav...@gmail.com> wrote:
Thanks for the explanation. In theory I understand the flow, the only missing point for me is when I setup velruse as a separate app in pyramid how the session is shared between my app and velruse? BTW I'm using beaker and mongodb to store all my session information. When I redirect to velruse app and once login is done how the cred information is going to be available for my main application.Thanks
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pylons-discuss/-/0VFVw6k89JcJ.
Jonathan Vanasco
Jan 3, 2012, 12:10:34 AM1/3/12
to pylons-discuss
I ran into similar confusions as you a few weeks back.
What I realized is that Velruse - and some other packages - kind of
exist as standalone authentication micro-apps that wrap other auth
libraries, and not as libraries to build that functionality into your
own app as you would want. For some projects, that works perfect.
For others, you might want a specific user experience -- which will
necessitate rolling a bit more code yourself around the auth libraries
they wrap.
What I realized is that Velruse - and some other packages - kind of
exist as standalone authentication micro-apps that wrap other auth
libraries, and not as libraries to build that functionality into your
own app as you would want. For some projects, that works perfect.
For others, you might want a specific user experience -- which will
necessitate rolling a bit more code yourself around the auth libraries
they wrap.
Reply all
Reply to author
Forward
0 new messages