[Zope-PAS] Passwordless authentication

Zachery Bir zbir at urbanape.com
Mon Aug 30 11:39:46 EDT 2004


On Aug 30, 2004, at 10:36 AM, Lennart Regebro wrote:

> I notice that none of the Authentication plugins

None of the *provided* plugins ;^)

> can handle passwordless authentication (like for example SSL 
> Certificates, or most SSO solutions, which will not send the 
> password). This of course prevents any really secure solution to be 
> used at all, since you need to send the password in every request, or 
> store it in a session. ;)

Actually, PAS supports it. There are no assumptions made on what 
constitutes valid credentials. For something like this, though, you'll 
probably want a plugin that does both IExtractCredentialsPlugin and 
IAuthenticateCredentialsPlugin (since they will likely know what to 
look for from each other).

> Anyway, there are a couple of ways to solve this:
>
> 1. Write passwordless authentication plugins.
>    Drawback: 1. Lot's of duplication of work/code.
>              2. Prevents logging in with both password and passwordless
>                 mechanisms on the same user.
>    Benefit:  1. See 2 above. :)

Ah, well, that's what I'd advocate. I don't personally like the idea of 
the same user logging in via multiple methods.

For what it's worth, I think the real value of PAS is the ease in 
writing new plugins and being able to avoid all the framework 
run-around, which is really where the "duplication of work/code" 
drawback comes from (IMHO).

> 4. Making PAS understand the difference: If no password exists in the
>    credentials, PAS could simply look up the user instead of calling
>    authenticateCredentials.
>    Drawback: What if there are other credentials, like domains?
>              I'm not sure how it is supposed to work then...

For this, you really want to double up your plugin to do both the 
extraction and the authentication.

Zac



More information about the Zope-PAS mailing list