Authentication, Authorization, OAuth, OpenID Connect and Pyramid

  • Published on
    11-Apr-2017

  • View
    583

  • Download
    3

Transcript

Altair (Authentication) (Authorization) (authentication factors) ()0182002100010123WebWebHTTP () HTTPWebWebURLAuthorizationIPSSLWebhttps://example.com/secretpage403GET /secretpage HTTP/1.1HTTP/1.1 403 ForbiddenHTTP/1.1 200 OK200IPGET /secretpage HTTP/1.1IPWeb- () () Webhttps://example.com/secretpage401GET /secretpage HTTP/1.1GET /secretpage HTTP/1.1Authorization: basic HTTP/1.1 401 Authorization RequiredWWW-Authenticate: Basic; realm=HTTP/1.1 200 OK200GET /anotherpage HTTP/1.1Authorization: basic https://example.com/anotherpage200HTTP/1.1 200 OKWebLoginpagehttps://example.com/secretpage302HTTP/1.1 302 Moved TemporarilyLocation: /loginhttps://example.com/anotherpage200GET /secretpage HTTP/1.1https://example.com/loginGET /login HTTP/1.1LoginpageHTTP/1.1 200 OKHTTP/1.1 302 Moved TemporarilyLocation: /secretpageSet-Cookie: xxx=yyy; path=/POST /login HTTP/1.1user=aaa&passwd=bbbGET /anotherpage HTTP/1.1Cookie: xxx=yyyHTTP/1.1 200 OKOAuthOAuthWebWebAPIABA (2-3) providerOAuth1. provider2. GET3. consumerURL4. URLGETcodecodecode5. ConsumerproviderAPIPOSTclient_idredirect_uriclient_idclient_secret6. Providerconsumeraccess_token7. ConsumerProviderAPIConsumer()Provider()User agent()OpenID ConnectOpenID 2.0OAuth 2.0OpenIDJWT (JSON Web Token) consumer (2-3) providerOpenID Connect1. provider2. GET3. consumerURL4. URLGETcodecodecode5. ConsumerproviderAPIPOSTclient_idredirect_uriclient_idclient_secret6. ProviderconsumerIDaccess_token7. ConsumerProviderAPIConsumer()Provider()User agent()id_tokennoncemax_agePyramidAuthentication and Authorization in PyramidPyramid (IAuthenticationPolicy) (IAuthorizationPolicy) (principals)ACL (access control list)Pyramidview_configpermission IAuthorizationPolicy permits() permits()FalseHTTPForbiddenraise1forbidden viewPyramidIAuthenticationPolicyeffective_principals()principalsACLAuthorizationPolicyContext__acl__ (ACE=Access Control Entry)IAuthenticationPolicy.effective_principals()principalspermission__acl__ = [ (Allow, Authenticated, 'authenticated'), (Deny, 'group:XXX:YYY', 'excluded'), (Allow, 'membership:XXX', 'member_only'), ]

Recommended

View more >