[Zope3-dev] PAS vs pluggableauth

[Lennart Regebro]

Jim Fulton wrote:
> Thoughts?

I did PluggableUserFolder partly as a "Zope 3 excersize" to see what was 
needed of an authentication service. What I learned was pretty much the 
same things as you mentioned (and also that I needed more granularity in 
my plugins, I needed special serachplugins and special property plugins 
and such). PAS, although not 100% mature yet (but going there fast) 
solves all those issues.

The only issues I currently have standing are these:

1. Currently, the challenge plugins can only create a challenge by 
redirecting. This is because of a Zope2 limitation 
(response.unauthorized is assumed to raise an exception) and is not a 
problem with PAS itself. Also, PAS will hook into _before_traverse_ do 
support the challenge-mechanism. That probably means that the challenge 
interface for Zope2 PAS and Zope3 PAS may be different. Other than that, 
it would be possible to write plugins that work both in Zope 2 and Zope 
3, which would be a nice feature.

2. We have a bit of a problem in matching the extracted credentials with 
a particular user, becuse the extraction of credentials are done by one 
plugin, the validation of the credentials by a second, and the 
enumeration of users by a third.
As it is just right now, the validation and enumeration plugin must be 
the same. And since the validation and extraction plugins must 
understand each other, they must basically ALSO be the same. Which means 
that extraction, validation and enumeration plugins must be the same. 
Which means that yo can't use LDAP with CAS, for example, unless you 
write an CASwithLDAP plugin, which of course kills the whole idea of 
having plugins in the first place. This needs to be resolved.

Other than that, PAS is fine, and I think moving it into Zope 3 is a 
good idea. Although maybe you should help to get this last PAS issue 
ironed out first, or wait for us to do it. ;)

//Lennart