Tokens identify users, not sessions since your services should be
stateless anyway (each call to a service method should be independent
and should not require a call to another method. Read about it here:
Sessions is your client's job.
The token has an expiry date and lifetime may be different from user
I use something like this, client side:
# first get a token
authToken = serviceProxy.getToken(user, password)
# then use it with methods that require auth.
helloWorld = serviceProxy.helloWorld(token = authToken)
serviceProxy could be formatting json-rpc, xml-rpc, soap, whatever...
also this would work no matter the transport.
I do have an implementation of the server, however since it's not
written in python I didn't post it here (my client is a web2py app and
my server is a ZF app). I can send it to you but it's php, you tell
What I implemented in Python is a client class (using json-rpc format
since it's my prefered format): http://www.desfrenes.com/python-json-rpc
A possible server implementation in web2py could be something like
this (replace the docstrings with appropriate logic):
from gluon.tools import Service
# create a server instance
service = Service(globals())
def getToken(user, password):
here, perform authentication
against whatever source you like
(db, file, service, CAS, ldap...)
generate a token, store it in cache or
db with an expiry date and
associated user id.
You may generate the token with
uuid and then encrypt it
# expose as json-rpc
def helloWorld(token, name):
here, check validity of token
(does it exist? is it expired?),
if valid and corresponding user has
right, then return result,
else raise error.
You may perform auth within a
python decorator so you only
have to add @tokenAuth before
return 'hello ' + name
# your service end point
def call(): return service()
Another way is to use http basic auth, but it was not my choice.
You'll find tons of articles about it.
On Jun 6, 10:20 am, Alexei Vinidiktov <alexei.vinidik...@gmail.com