One common piece of user feedback from the TurboGears 1 community:
Authentication and Authorization are somewhat too closely tied by identity.
At the same time, it was very, very nice to be able to offer people an out of the box solution to their total auth needs, and most brand-new web-application projects use a local database for both kinds of Auth, so TG1′s Identity module was good enough as the 80% solution.
TG2 however, while still aimed at making it easy to get started, and easy to build new web applications, is also aimed at solving some of the more “industrial strength” problems that the current generation of “dynamic” web frameworks has not yet addressed. In the case of Auth*, we’re basically talking about using pre-existing auth services. Identity supported this, but it was non-trivial exercise to get everything working.
So, in TG2, we’re partnering with the Repoze project folks to build up a simple, standard interface for authentication service providers. We’ve got a plugin for Repoze which adds a simple database authentication provider, and it works great. But at the same time, we want to make database backed authorizatoin as simple as possible, so we’ve also included some Authorization decorators (with the same API as the ones provided by Identity in TG1) and extended our basic Authorization provider to “decorate” the request with authorization information as well as the basic user authentication information provided by the standard Repoze.who middleware.
The nice thing is that while tg.repoze.who provides both Authentication and Authorization, it’s much easier to separate them if you want. Also I have high hopes that repoze.who becomes a standard authorization provider in the WSGI world, so non TurboGears 2 wsgi apps can (and hopefully will) be designed to work with it out of the box.
There are LDAP and other plugins on the way, and the whole system is still evolving somewhat, but tg.ext.repoze.who is looking like a clean and useful library for both Authentication and Authorization, and it will provide a great platform for TG, Repoze, and hopefully other WSGI application and framework people to work together on the Auth problem.
Florent Aide and Chris McDonough have done all the heavy lifting on this, and I’m very excited about what they’ve done.