[Twisted-Python] Twisted.web, txOAuth and custom login pages
Laurens Van Houtven
lvh at laurensvh.be
Tue Aug 24 04:57:29 MDT 2010
Hey,
I'm writing txOAuth. Basically the idea is to abstract all the OAuth stuff
away so that people can just do boring old web auth.
I've seen JP's 60 seconds post but it appears to be HTTP Authentication
centric. I'd like to be able to offer users pretty login pages. Also, OAuth
logins typically have to inform the user about more stuff, such as who *we*
think authenticated the request (as a measure against forgery), and which
privileges exactly they've requested. That makes a pretty login page
something to want.
I've also found sources on how to do it with Woven, but I'm pretty sure I'm
not supposed to do that anymore. Some of them refer to Nevow as the shiny
new thing to use, but since I'm not trying to actually BUILD such a login
page (I'm merely trying to cater to other people that do), I don't think I
need it.
I'm not sure how much of the default stuff can be reused, because OAuth is a
bit different: authenticating the end-user (that's you!) relies on
redirection. Unfortunately the login page itself might redirect the user
many times already, so there must be some way of getting back to my library
with a redirectable request
Also I'm not sure if I should be using Cred here or if it's just
complicating stuff. I think you can model the three-legged auth as two
two-legged auths: the client is authenticating to me, and the end-user is
authenticating to me. That way, you could use HTTPAuthSessionWrapper to
authenticate clients, and its realm would return the login page. This sounds
pretty complex to me.
One really simple API I can think of is just passing a custom object around
that has a deferred. Once you've successfully authenticated the end-user,
you fire it with a Request (which I can then properly redirect), as
explained above. (Same with errback chain; again, I need a request to return
the error to the client that initiated the request.)
Any thoughts?
Thanks,
lvh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20100824/acf3bab8/attachment.html>
More information about the Twisted-Python
mailing list