[Zope-PAS] Passwordless authentication

Lennart Regebro regebro at nuxeo.com
Mon Aug 30 10:36:38 EDT 2004


I notice that none of the Authentication plugins can handle passwordless 
authentication (like for example SSL Certificates, or most SSO 
solutions, which will not send the password). This of course prevents 
any really secure solution to be used at all, since you need to send the 
password in every request, or store it in a session. ;)

Anyway, there are a couple of ways to solve this:

1. Write passwordless authentication plugins.
    Drawback: 1. Lot's of duplication of work/code.
              2. Prevents logging in with both password and passwordless
                 mechanisms on the same user.
    Benefit:  1. See 2 above. :)

2. Have the extraction plugin look up the users password!
    Drawbacks: Ugly.
               Does not work with typical LDAP setups.
    Benefit:   Does not require authentictaion plugin fixing.

3. Magick cookie password: An extraction plugin that does not provide a
    password will instead provide a marker. This marker is an special
    python object defined once and once only in
    PluggableAuthenticationService, like so:

    _no_password_marker = []

    Any authentication plugins would then have to check if the password
    provided is this marker, and then just look up the user, and not
    check the password.
    This is the techninue used in Pluggable User Folder.

    Benefit: Works
    Drawback: All Authentication plugins need to take care of this.

4. Making PAS understand the difference: If no password exists in the
    credentials, PAS could simply look up the user instead of calling
    authenticateCredentials.
    Drawback: What if there are other credentials, like domains?
              I'm not sure how it is supposed to work then...

5. ???? More ideas?

//Lennart



More information about the Zope-PAS mailing list