Graceful will support authentication feature?
PipocaZalas opened this issue · 7 comments
Hi, recently I found this repository searching some code about authentication and authorization of requests. Please tell me if you are going to support this feature in the future. Some code about it could help me a lot.
Hmm I did not think about that.
In case of authentication I thought about about using falcon request hooks for that. talons provide some set of built-in authentication methods.
As far as I remember the resource-specific authorization was tricky in the old days of falcon because hooks were not aware of the related resource class object. Still, I remember this has changed and hooks are way more elastic now. So, I think more authorization can be implemented in resource class code.
I don't know if graceful is the best place to provide some auth implementation tools but there is nothing wrong in trying doing that as long as it will be optional. Do you have any ideas for the possible API for that?
Yes, I have been thinking how to implement a simple, flexile and faster way to manage auth, actually exist many ways to manage auth, at least in theory.
I like falcon, because is worried in performance, but talons implement a dirty way to manage auth, iterating through routes for each request, It guess that falcon already do that. falcon hooks for each on_* seems more efficient.
Any way actually I think there is more need for falcon boilerplate, I hope to have more time to create one, and I have no repository to keep.
talons seems to be dead and falcon hooks are now replaced by app-level middleware (not to be confused with WSGI middlewares). Also falcon does not provide any basic authentication/authorization primitives beyond basic HTTP exceptions that may be raised and middleware framework.
So we are generally left with nothing.
Using WSGI middleware sounds like a viable solution but makes it harder to set per-resource authentication and authorization restrictions. It would be great if we could set auth demands on per-resource basis.
I think it is the right time to consider adding something on our own. I have some draft solution that I can extract from my own application and include in graceful sources. It is only authentication middleware but I think it could be a good basis for further extension.
@MackYoel Did you create/find any good solution? Could you share your experience or design ideas?
Some initial requirements for this feature:
- Authentication layer must be separated from authorization layer
- Authentication layer is the only responsible for identifying clients and providing user object to the request context (the
req.contextdictionary). It should not have any other responsibilities. - Authorization layer is the only responsible for accessing/denying request to resources depending on user object from the context. It always relies on authentication layer.
- Authentication should be global for the application (preferably as falcon middleware class) and it should be possible to provide multiple independent authentication layers. Order of processing authentication methods should be strictly defined, deterministic, and simple.
- Authorization methods/requirements should be defined per-resource. Preferably using hooks.
@MackYoel If you are still interested in this feature we have just now released new auth support in 0.4.0 version of graceful.