[Zope-PAS] Passwordless authentication
Zachery Bir
zbir at urbanape.com
Mon Aug 30 11:39:46 EDT 2004
On Aug 30, 2004, at 10:36 AM, Lennart Regebro wrote:
> I notice that none of the Authentication plugins
None of the *provided* plugins ;^)
> can handle passwordless authentication (like for example SSL
> Certificates, or most SSO solutions, which will not send the
> password). This of course prevents any really secure solution to be
> used at all, since you need to send the password in every request, or
> store it in a session. ;)
Actually, PAS supports it. There are no assumptions made on what
constitutes valid credentials. For something like this, though, you'll
probably want a plugin that does both IExtractCredentialsPlugin and
IAuthenticateCredentialsPlugin (since they will likely know what to
look for from each other).
> Anyway, there are a couple of ways to solve this:
>
> 1. Write passwordless authentication plugins.
> Drawback: 1. Lot's of duplication of work/code.
> 2. Prevents logging in with both password and passwordless
> mechanisms on the same user.
> Benefit: 1. See 2 above. :)
Ah, well, that's what I'd advocate. I don't personally like the idea of
the same user logging in via multiple methods.
For what it's worth, I think the real value of PAS is the ease in
writing new plugins and being able to avoid all the framework
run-around, which is really where the "duplication of work/code"
drawback comes from (IMHO).
> 4. Making PAS understand the difference: If no password exists in the
> credentials, PAS could simply look up the user instead of calling
> authenticateCredentials.
> Drawback: What if there are other credentials, like domains?
> I'm not sure how it is supposed to work then...
For this, you really want to double up your plugin to do both the
extraction and the authentication.
Zac
More information about the Zope-PAS
mailing list