Abdul Muneer
Reputation: 973
Pyramid: Is it possible to use Authorization without Authentication?
My organization uses OpenAM SSO for authentication and my app is written in Pyramid. The user id will be passed in HTTP header. I can also configure it to pass groups and permissions as well which I can use in acl. This makes the authentication in pyramid redundant. Is it possible to do away with Authenticaion Policy altogether and go with authorization alone?
Upvotes: 2
Views: 443
Answers (1)
Michael Merickel
Reputation: 23331
You need a way to tell pyramid's authorization system who the person is (their effective principals). That is the responsibility of the authentication policy, even if it's something as simple as parsing a header.
class CustomAuthenticationPolicy(object):
def effective_principals(self, request):
principals = [Everyone]
identity = request.headers.get('x-identity')
# validate the identity somehow
if is_valid(identity):
principals += [Authenticated, identity, 'g:editors']
return principals
config.set_authentication_policy(CustomAuthenticationPolicy())
Upvotes: 4
Related Questions
- pyramid security authenticating request
- User Authentication in Pyramid
- Using pyramid authentication with pyramid
- Authentication in pyramid
- Restrict Pyramid to require login by default
- Obligatory authentication in Pyramid
- Can Pyramid's Built-in Authentication/Authorization Implement Complex Security Schemes?
- Authentication/Authorization implement in pyramid
- Pyramid: why can't I use an authentication policy without an authorization policy?
- Dynamic user based authorization in Pyramid