AuthTkt Cookies for OAuth2 versus Normal
84 views
Skip to first unread message
ozwyzard
Nov 12, 2012, 7:09:21 PM11/12/12
to turbo...@googlegroups.com
Is there a way to allow/deny user based on predicate check depending on the "type" of auth_ticket?
For example, one instance of AuthTktCookiePlugin (NormalCookie) generates cookie for normal login for normal users, versus a different instance of AuthTktCookiePlugin generates cookie for OpenAuth2 email addresses (OAuth2Cookie). Is there a way to specify a predicate which says, 'Allow User with NormalCookie' but deny request with OAuth2Cookie? And Vice-Versa?
I could differentiate based on tg_group membership (predicate). Just wondering if there is any other way to do the same?
Thanks!
For example, one instance of AuthTktCookiePlugin (NormalCookie) generates cookie for normal login for normal users, versus a different instance of AuthTktCookiePlugin generates cookie for OpenAuth2 email addresses (OAuth2Cookie). Is there a way to specify a predicate which says, 'Allow User with NormalCookie' but deny request with OAuth2Cookie? And Vice-Versa?
I could differentiate based on tg_group membership (predicate). Just wondering if there is any other way to do the same?
Thanks!
Alessandro Molina
Nov 12, 2012, 7:16:02 PM11/12/12
to TurboGears .
Inside the request.identity you should have the identifier and authenticator used to recognize the user, then it should be possible to take action based on that one.
--
You received this message because you are subscribed to the Google Groups "TurboGears" group.
To view this discussion on the web visit https://groups.google.com/d/msg/turbogears/-/17UilFj9NyYJ.
To post to this group, send email to turbo...@googlegroups.com.
To unsubscribe from this group, send email to turbogears+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/turbogears?hl=en.
ozwyzard
Nov 13, 2012, 2:27:34 AM11/13/12
to turbo...@googlegroups.com
The credentials dict argument of the predicates.not_anonymous() method contains just 3 keys, namely 'repoze.what.userid', 'groups', and 'permissions'.
Adding extra identity['test_myauthenticator_flag'] in the authenticate() method did not pass through to predicates. Adding an mdprovider (add_metadata()) to add extra keys to identity did not pass through either.
Adding extra identity['test_myauthenticator_flag'] in the authenticate() method did not pass through to predicates. Adding an mdprovider (add_metadata()) to add extra keys to identity did not pass through either.
ozwyzard
Nov 15, 2012, 2:25:56 AM11/15/12
to turbo...@googlegroups.com
In the repoze.who-2.0 api.py file, the 'def authenticate' has two lines
identity['authenticator'] = authenticator
identity['identifier'] = identifier
Can I assume these keys will exist in future versions of repoze.who ? If it is deemed an implementation detail, is there a way to decipher the 'identifier' for a given identity (e.g. some API call or Interface Spec) ?
I have a separate oauth_browser classification (based on URL).
I have a separate OAuthPlugin, and it is getting called with normal AuthTkt identity, even when I specified OAuthPlugin.classifications . The classification filtering seems to work partially (am still digging through my code to see if I have misconfigured).
Thanks.
identity['authenticator'] = authenticator
identity['identifier'] = identifier
Can I assume these keys will exist in future versions of repoze.who ? If it is deemed an implementation detail, is there a way to decipher the 'identifier' for a given identity (e.g. some API call or Interface Spec) ?
I have a separate oauth_browser classification (based on URL).
I have a separate OAuthPlugin, and it is getting called with normal AuthTkt identity, even when I specified OAuthPlugin.classifications . The classification filtering seems to work partially (am still digging through my code to see if I have misconfigured).
Thanks.
ozwyzard
Nov 15, 2012, 5:48:18 PM11/15/12
to turbo...@googlegroups.com
Never mind. I have to set the classifications on my OAuthPlugin as well as the AuthTkt plugin, so that the plugin classification match does not occur in for one cookie versus the other (when looking for identifier/authenticator). Thanks.
On Wednesday, November 14, 2012 11:25:56 PM UTC-8, ozwyzard wrote:
...
Reply all
Reply to author
Forward
0 new messages