Thinking about Auth*

One common piece of user feedback from the TurboGears 1 community:

Authentication and Authorization are somewhat too closely tied by identity.

At the same time, it was very, very nice to be able to offer people an out of the box solution to their total auth needs, and most brand-new web-application projects use a local database for both kinds of Auth, so TG1′s Identity module was good enough as the 80% solution.

TG2 however, while still aimed at making it easy to get started, and easy to build new web applications, is also aimed at solving some of the more “industrial strength” problems that the current generation of “dynamic” web frameworks has not yet addressed. Old locks are cool! In the case of Auth*, we’re basically talking about using pre-existing auth services. Identity supported this, but it was non-trivial exercise to get everything working.

So, in TG2, we’re partnering with the Repoze project folks to build up a simple, standard interface for authentication service providers. We’ve got a plugin for Repoze which adds a simple database authentication provider, and it works great. But at the same time, we want to make database backed authorizatoin as simple as possible, so we’ve also included some Authorization decorators (with the same API as the ones provided by Identity in TG1) and extended our basic Authorization provider to “decorate” the request with authorization information as well as the basic user authentication information provided by the standard Repoze.who middleware.

The nice thing is that while tg.repoze.who provides both Authentication and Authorization, it’s much easier to separate them if you want. Also I have high hopes that repoze.who becomes a standard authorization provider in the WSGI world, so non TurboGears 2 wsgi apps can (and hopefully will) be designed to work with it out of the box.

There are LDAP and other plugins on the way, and the whole system is still evolving somewhat, but tg.ext.repoze.who is looking like a clean and useful library for both Authentication and Authorization, and it will provide a great platform for TG, Repoze, and hopefully other WSGI application and framework people to work together on the Auth problem.

Florent Aide and Chris McDonough have done all the heavy lifting on this, and I’m very excited about what they’ve done.

Thanks guys!

2 Responses to “Thinking about Auth*”


  1. I like to add that I’m using repoze.who with TG1 already (using my own glue code for SecureControllers etc) and it works really well. With repoze.who it was quite easy to support different types of users which are stored in different database tables.

    So with repoze.who you are really a lot more flexible than with the old identity. The only thing I’m missing currently (not sure if tgrepozewho has some code for it) that you can configure the authentication mechanisms by using the TurboGears configuration system. On the other hand this is no requirement for my current project so I never bothered writing some code for this feature.

  2. Congratulations! I’m really stoked for TG2. I work with numerous TurboGears applications each day and for a while tried to get into TG development to help the cause.

    Unfortunately I hopped in right when most of the test cases in the trunk of TG stopped working and I (and my roommates who were also helping) became overwhelmed.

    May your work on providing stability in the storm of TG2 help provide an entry point for new developers! I know I’d love to help!

Comments are currently closed.