Repoze Blog

2008-04-27 00:00:00-05:00

Using repoze.who for Authentication with TurboGears 2

Since PyCon 2008 in March, we've been working within the TurboGears community on an authentication system based around repoze.who. repoze.who is a WSGI middleware authentication framework roughly modeled after Zope's Pluggable Authentication Service". repoze.who does less than PAS and shares no code with PAS, but it shares with PAS a fundamental model of a pluggable framework with customizable identification, authentication, and metadata plugins. The goal of repoze.who is to let us use the authentication features we've become accustomed to under PAS when deploying other web frameworks under WSGI. As such, repoze.who is not tied to any particular web framework. It operates as its own framework, providing downstream applications with consumable authentication and identity information. In particular, it's tied to neither TurboGears nor Zope in any way. It's tied only to WSGI, and could be used to provide similar functionality for one-off WSGI apps, Django, or Pylons, or any other WSGI-capable web framework.

The TurboGears trunk (which will at some point be released as TurboGears 2) is very different from the released 1.X version of TurboGears. Instead of using CherryPy as a controller dispatch mechanism as TG 1.X does; instead it uses Pylons. One of the side effects of this change is that the venerable TG 1.X authentication and authorization code known as identity doesn't work anymore under the TurboGears trunk. So the identification, authentication, and authorization features that TurboGears 1.X people have become accustomed to are largely missing for people working off the TurboGears trunk. An effort named Authority was established to provide the TG trunk with these features, and code exists in that project to that end. We've worked a bit with the folks who are creating Authority, and I hope there's some way to coalesce the two efforts into one in the future.

In the meantime, I created a sample set of repoze.who plugins and a repoze.who middleware configuration "on spec" for TG2 just for proof-of-concept. This eventually served as a template for Florent Aide, who subsequently developed a more-or-less feature complete set of repoze.who plugins and separate authorization facilities named tgrepozewho to provide functionality equivalent to TG 1.X's "identity" package for TG2 users. Florent also created a sample TG2 application named whotg that can make use of the authentication and authorization features provided by the tgrepozewho configuration package.

The fundamentals of Florent's TG2 application which makes use of repoze.who are these:

The result is a functional, customizable authentication and authorization system for TurboGears 2 that reuses the repoze.who framework. Hats off to Florent! This appears to be real evidence that we can move towards a "fourth generation" of Python web frameworks where coding framework-specific subsystems from scratch isn't always the norm, because the work that Florent did could be recast pretty easily for just about any TurboGears 2 or Pylons application (or Django application, etc).

- Chris

posted at: 00:00 | permalink