[Zope-PAS] Passwordless authentication
Lennart Regebro
regebro at nuxeo.com
Mon Aug 30 10:36:38 EDT 2004
I notice that none of the Authentication plugins can handle passwordless
authentication (like for example SSL Certificates, or most SSO
solutions, which will not send the password). This of course prevents
any really secure solution to be used at all, since you need to send the
password in every request, or store it in a session. ;)
Anyway, there are a couple of ways to solve this:
1. Write passwordless authentication plugins.
Drawback: 1. Lot's of duplication of work/code.
2. Prevents logging in with both password and passwordless
mechanisms on the same user.
Benefit: 1. See 2 above. :)
2. Have the extraction plugin look up the users password!
Drawbacks: Ugly.
Does not work with typical LDAP setups.
Benefit: Does not require authentictaion plugin fixing.
3. Magick cookie password: An extraction plugin that does not provide a
password will instead provide a marker. This marker is an special
python object defined once and once only in
PluggableAuthenticationService, like so:
_no_password_marker = []
Any authentication plugins would then have to check if the password
provided is this marker, and then just look up the user, and not
check the password.
This is the techninue used in Pluggable User Folder.
Benefit: Works
Drawback: All Authentication plugins need to take care of this.
4. Making PAS understand the difference: If no password exists in the
credentials, PAS could simply look up the user instead of calling
authenticateCredentials.
Drawback: What if there are other credentials, like domains?
I'm not sure how it is supposed to work then...
5. ???? More ideas?
//Lennart
More information about the Zope-PAS
mailing list