On Fri, Jul 10, 2015 at 7:12 PM, Andrew Burnett
<andrewjburn...@gmail.com> wrote:
> I apologize in advance if 1) This is not the proper place to be asking such
> a question 2) My understand of authentication is so lackluster that my
> question is irrelevant to begin with. Having said that, I will ask away:
>
> I was hoping to use one of Pyramid's built in authentication policies
> (AuthTktAuthenticationPolicy) within my application. From what I understand,
> through the use of this remember() function I can obtain a set of Set-Cookie
> headers to be set on my response and returned so that my browser will follow
> suit and authentication will be taken care of when accessing my application
> via said web browser.
>
> My issue is that I'm using Pyramid as the backend of a mobile application
> native to iOS. So, I would like to leverage AuthTktAuthentication policy if
> possible, but return the appropriate cookie (Or cookies? Do I need more than
> one? Because more than one cookie is provided by
> pyramid.security.remember()) in the JSON body of my response. For example,
> I'd like to return {"auth_tkt": -----with the auth_tkt's value here-----}.
> Is is possible to obtain the actual value of the auth_tkt cookie/s provided
> in the response.headers? Is this not how I should be going about this?
>
> I realize the cookies can be read from the client side by accessing the
> approproate authorization headers, but I'd like to explicitly send the
> auth_tkt via a JSON body if possible. Thanks.If IOS supports cookies AuthTktAuthenticationPolicy would be the easiest way to go. Otherwise you'd have to write an authentication policy or see if you can use AuthTktAuthenticationPolicy ignoring the cookie stuff it does. If you look at pyramid/authentication.py you'll see that RemoteUserAuthenticationPolicy and SessionAuthenticationPolicy are very small and simple, so that's the minimum you have to do. RemoteUserAuthenticationPolicy gets the authenticated user from an external authenticator [1], while SessionAuthenticationPolicy stores the user ID in an externally-manged session. Both of them return "no headers" for .remember() and .forget() because they don't have to set any headers. In these cases the user ID is the auth token and you don't need to sign or encrypt it because it never goes back to the client. (With SessionAuthenticaticationPolicy the session ID goes back to the client, but that's the session manager's responsibility.) But with AuthTktAuthenticationPolicy and your "JSONAuthenticationPolicy", the ID does go back to the client so it has to be encrypted. Therefore, what you want is the part of AuthTktCookieHelper that generates and verifies the token, and you don't want the part that converts it to a cookie. I don't know offhand if you can subclass AuthTktCookieHelper and just bypass the cookie stuff, or if you'd have to reimplement it. You'd also have to think about how to get the token in and out of the JSON request/response. You might put it on a request attribute and let some view code put it in the JSON response. Going the other way seems trickier because authentication occurs before the view code, so you'd have to deserialize the JSON early to get the token, which means you'd have to handle invalid JSON or wrong content type at that point. Perhaps you could do something analogous: deserialize the JSON object and put it on a request attribute, and the view code can look for it there rather than deserializing the body again. This assumes that **ALL** requests are JSON. (Fire alarm in my apartment, gotta go...) [1] If you're wondering why the method is called "un"authenticated_userid, it's to bridge the API semantics between REMOTE_USER which is always authenticated, and Pyamid which needs both an authenticated and an unauthenticated userid. -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-devel+unsubscr...@googlegroups.com. To post to this group, send email to pylons-devel@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-devel. For more options, visit https://groups.google.com/d/optout.
