Overwritten repoze.who.identity['user']

[ozwyzard]

I have a custom Auth Plugin with an IMetadataProvider (add_metadata()) that sets the identity['user'] to a custom record. 

However, by the time the call reaches the __before of a controller, the repoze.who.identity['user'] is scribbled over by other auth plugins and set to None.

The plugins in question are SQLAlchemyUserMDPlugin() for sure and possibly AuthorizationMetadata().

I am using TG2.2 with repoze.who-2.0-py2.7, but not using the "class ApplicationAuthMetadata(TGAuthMetadata)" in app_cfg.py, instead just the simple config like so:

    base_config.sa_auth.identifiers = [('api',ApiClientAuthPlugin), ('browser',BrowserClientAuthPlugin),   ('oauth2_browser', OAuth2ClientPlugin)]
    base_config.sa_auth.challengers = [('api',ApiClientAuthPlugin), ('oauth2_browser',OAuth2ClientPlugin)]
    base_config.sa_auth.group_class = model.Group
    base_config.sa_auth.permission_class = model.Permission
    base_config.sa_auth.authenticators = [('browser',BrowserClientAuthPlugin), ('oauth2_browser',OAuth2ClientPlugin)]
    base_config.sa_auth.mdproviders = [('oauth2_browser',OAuth2ClientPlugin)]
    base_config.sa_auth.form_plugin = None

The SQLAlchemyUserMDPlugin() gets registered as a plugin in repoze.what.quickstart-1.0.9-py2.7.egg/repoze/what/plugins/quickstart/__init__.py::setup_sql_auth().

What am I doing wrong?

Thanks.

[Alessandro Molina]

If you remove the base_config.sa_auth.authmetadata field you just disable the 2.2 auth layer and fall back to the repoze.what-quickstart one, that is why you get the SQLAlchemyUserMDPlugin registered.

To use the the new auth setup but skip the default TG metadata provider just set authmetadata to None. 

--
You received this message because you are subscribed to the Google Groups "TurboGears" group.
To view this discussion on the web visit https://groups.google.com/d/msg/turbogears/-/FSFadAlm6SwJ.
To post to this group, send email to turbo...@googlegroups.com.
To unsubscribe from this group, send email to turbogears+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/turbogears?hl=en.

[ozwyzard]

Thank you.  I would not have figured that out.

When I set base_config.sa_auth.authmetadata = None, I see a param mismatch exception when PluggableAuthenticationMiddleware's __init__() is called.

In /tg/configuration/app_config.py::add_auth_middleware()

if 'authmetadata' not in auth_args:
    calls setup_sql_auth() .. consumes permission_class and translations etc. and in turn calls setup_auth() such that when it   calls PluggableAuthenticationMiddleware() the parameters match
else:
    calls setup_auth() with auth_args .. and PluggableAuthenticationMiddleware() chokes on invalid parameters permission_class, dbsession, translations, etc.

I will debug further..

[ozwyzard]

I put some debugging hacks in setup_auth() and figured out that since I am configuring authenticators in app_cfg.py, with the tg 2.2 auth layer, the SQLAlchemyAuthenticatorPlugin() is not  instantiated in add_auth_middleware().  Hence, (a) it does not consume some of the auth_args, and (b) the authenticate function is not called for friendlyformplugin logins. 

Since the logic in setup_auth() relies on either **all** or **no** authenticators configured, I would have to instantiate the SQLAlch authenticator myself and configure it in base_config but then I would have to do surgery on the auth_args (kw arg), and even then AppConfig automatically creates a self.sa_auth.translations parameter (which would choke PluggableAuthenticationMiddleware().

One alternative is to modify either setup_auth() or add_auth_middleware() to handle the above scenario.