Authentication, Authorization, OAuth, OpenID Connect and Pyramid

Embed Size (px)

Text of Authentication, Authorization, OAuth, OpenID Connect and Pyramid

Altair

(Authentication) (Authorization)

(authentication factors) ()

0182

0021

0001

0123

WebWebHTTP () HTTPWeb

WebURLAuthorizationIPSSL

Web

https://example.com/secretpage403GET /secretpage HTTP/1.1

HTTP/1.1 403 ForbiddenHTTP/1.1 200 OK200IPGET /secretpage HTTP/1.1

IP

Web- () ()

Web

https://example.com/secretpage401GET /secretpage HTTP/1.1GET /secretpage HTTP/1.1Authorization: basic

HTTP/1.1 401 Authorization RequiredWWW-Authenticate: Basic; realm=HTTP/1.1 200 OK200

GET /anotherpage HTTP/1.1Authorization: basic

https://example.com/anotherpage200HTTP/1.1 200 OK

Web

Loginpage

https://example.com/secretpage302

HTTP/1.1 302 Moved TemporarilyLocation: /login

https://example.com/anotherpage200GET /secretpage HTTP/1.1https://example.com/loginGET /login HTTP/1.1

LoginpageHTTP/1.1 200 OKHTTP/1.1 302 Moved TemporarilyLocation: /secretpageSet-Cookie: xxx=yyy; path=/POST /login HTTP/1.1user=aaa&passwd=bbbGET /anotherpage HTTP/1.1Cookie: xxx=yyyHTTP/1.1 200 OK

OAuthOAuthWebWebAPIABA

(2-3) providerOAuth

1. provider2. GET3. consumerURL4. URLGETcodecodecode5. ConsumerproviderAPIPOSTclient_idredirect_uriclient_idclient_secret6. Providerconsumeraccess_token7. ConsumerProviderAPIConsumer()Provider()User agent()

OpenID ConnectOpenID 2.0OAuth 2.0OpenIDJWT (JSON Web Token) consumer

(2-3) providerOpenID Connect

1. provider2. GET3. consumerURL4. URLGETcodecodecode5. ConsumerproviderAPIPOSTclient_idredirect_uriclient_idclient_secret6. ProviderconsumerIDaccess_token7. ConsumerProviderAPIConsumer()Provider()User agent()id_tokennoncemax_age

PyramidAuthentication and Authorization in Pyramid

Pyramid (IAuthenticationPolicy) (IAuthorizationPolicy) (principals)ACL (access control list)

Pyramidview_configpermission IAuthorizationPolicy permits() permits()FalseHTTPForbiddenraise1forbidden view

PyramidIAuthenticationPolicyeffective_principals()principals

ACLAuthorizationPolicyContext__acl__ (ACE=Access Control Entry)IAuthenticationPolicy.effective_principals()principalspermission__acl__ = [ (Allow, Authenticated, 'authenticated'), (Deny, 'group:XXX:YYY', 'excluded'), (Allow, 'membership:XXX', 'member_only'), ]