Communicating authenticated user information

Typically, web servers provide access logs that include a
label
for the authenticated user.

Often, WSGI applications (or middleware) provide their own
user
authentication facilities.  Well, Zope does. 

There doesn't seem to be a standard way for WSGI
applications or
middleware to communicate the information necessary for a
server
to log the authenticated user back to the server.

Am I missing something?  How do other people handle this?

Is Zope the only WSGI application that performs
authentication
itself?

Jim

-- 
Jim Fulton           mailto:jimzope.com       Python
Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org
_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com

At 11:22 AM 1/22/2006 -0500, Jim Fulton wrote:
>Typically, web servers provide access logs that include
a label
>for the authenticated user.
>
>Often, WSGI applications (or middleware) provide their
own user
>authentication facilities.  Well, Zope does. 
>
>There doesn't seem to be a standard way for WSGI
applications or
>middleware to communicate the information necessary for
a server
>to log the authenticated user back to the server.
>
>Am I missing something?  How do other people handle
this?
>
>Is Zope the only WSGI application that performs
authentication
>itself?

I think Zope is the only WSGI application that cares about
communicating 
this information back to the web server's logs.    Or at
least, the only 
one whose author has said so.  

Perhaps an "X-Authenticated-User: foo" header
could be added in a future 
spec version?  (And as an optional feature in the current
PEP.)  This seems 
a simpler way to incorporate the feature than adding an
extension API to 
environ.

_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com

Phillip J. Eby wrote:
> At 11:22 AM 1/22/2006 -0500, Jim Fulton wrote:
> 
>> Typically, web servers provide access logs that
include a label
>> for the authenticated user.
>>
>> Often, WSGI applications (or middleware) provide
their own user
>> authentication facilities.  Well, Zope does. 
>>
>> There doesn't seem to be a standard way for WSGI
applications or
>> middleware to communicate the information necessary
for a server
>> to log the authenticated user back to the server.
>>
>> Am I missing something?  How do other people handle
this?
>>
>> Is Zope the only WSGI application that performs
authentication
>> itself?
> 
> 
> I think Zope is the only WSGI application that cares
about communicating 
> this information back to the web server's logs.  

I hope that's not true.  Certainly, if anyone else is doing
authentication
in their applications or middleware, they *should* care
about getting
information into the access logs.

 > Or at least, the
> only one whose author has said so.  

Please, someone else speak up. 


> Perhaps an "X-Authenticated-User: foo" header
could be added in a future 
> spec version?  (And as an optional feature in the
current PEP.) 

Perhaps. Note that it should be clear that this is soley for
use
in the access log.  There should be no assumption that this
is
a principal id or a login name.  It is really just a label
for the
log.  To make this clearer, I'd use something like:
"X-Access-User-Label: foo".

 > This
> seems a simpler way to incorporate the feature than
adding an extension 
> API to environ.

Why is that?  Isn't the env meant for communication between
the WSGI
layers?  I'm not sure I'd want to send this information back
to the browser.

Jim

-- 
Jim Fulton           mailto:jimzope.com       Python
Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org
_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com

[Jim Fulton]
 >>>Is Zope the only WSGI application that performs
authentication
 >>>itself?

[Phillip J. Eby]
 >>I think Zope is the only WSGI application that
cares about
 >> communicating this information back to the web
server's logs.  

[Jim Fulton]
 > I hope that's not true.  Certainly, if anyone else is
doing
 > authentication in their applications or middleware,
they
 > *should* care about getting information into the
access logs.

Well, Apache records auth info in logs as well, and it seems
like a 
perfectly reasonable thing for a server to do .....


http://httpd.apache.org/docs/2.0/logs.html#accesslog

[Phillip J. Eby]
 >> Perhaps an "X-Authenticated-User: foo"
header could be added
 >> in a future spec version?  (And as an optional
feature in the
 >> current PEP.)

[Jim Fulton]
 > Perhaps. Note that it should be clear that this is
soley for use
 > in the access log.  There should be no assumption that
this is
 > a principal id or a login name.  It is really just a
label for the
 > log.  To make this clearer, I'd use something like:
 > "X-Access-User-Label: foo".

Sending X-headers seems hacky, and results in unnecessary
information 
being transmitted back to the user (possibly revealing
sensitive 
information, or opening security holes?)

I think that the communication mechanism for auth
information is 
possibly best served by a simple convention between auth
middleware 
authors. Perhaps servers that are aware that auth middleware
is in use 
can put a callable into the WSGI environment, which auth
middleware 
calls when it has auth'ed the user?

[Phillip J. Eby]
 > This seems a simpler way to incorporate the feature
than adding
 > an extension API to environ.

[Jim Fulton]
 > Why is that?  Isn't the env meant for communication
between
 > the WSGI layers?  I'm not sure I'd want to send this
information
 > back to the browser.

I think an API could be very simple, and optional for
servers that know 
they won't be logging auth information.

I agree about not sending this information back to the user:
it's 
unnecessary and potentially dangerous.

Regards,

Alan Kennedy.
_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com

At 05:45 PM 1/22/2006 +0000, Alan Kennedy wrote:
>I agree about not sending this information back to the
user: it's
>unnecessary and potentially dangerous.

Yep, it would be really dangerous to let me know who I just
logged in to an 
application as.  I might find out who I really am! ;)

_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com

Phillip J. Eby wrote:
> At 05:45 PM 1/22/2006 +0000, Alan Kennedy wrote:
> 
>>I agree about not sending this information back to
the user: it's
>>unnecessary and potentially dangerous.
> 
> 
> Yep, it would be really dangerous to let me know who I
just logged in to an 
> application as.  I might find out who I really am! ;)

The point is that there's really no reason to send this to
the client.
It is certainly conceivable that some app could consider
this
information sensitive.

Jim

-- 
Jim Fulton           mailto:jimzope.com       Python
Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org
_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com

[Alan Kennedy]
>> I agree about not sending this information back to
the user: it's
>> unnecessary and potentially dangerous.

[Phillip J. Eby]
> Yep, it would be really dangerous to let me know who I
just logged in to 
> an application as.  I might find out who I really am!
;)

Very droll 

What if other information, such as meta-information about
the auth 
directory or database in which the credentials were looked
up, was also 
communicated through X-headers, e.g. server connection
details, etc.

Happy for that to go back to the user too?

If X-headers are to be used in WSGI, I think there should be
something 
in the spec about whether or not they should be transmitted
to the user.

Alan.
_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com

Jim Fulton wrote:
> Typically, web servers provide access logs that include
a label
> for the authenticated user.
> 
> Often, WSGI applications (or middleware) provide their
own user
> authentication facilities.  Well, Zope does. 
> 
> There doesn't seem to be a standard way for WSGI
applications or
> middleware to communicate the information necessary for
a server
> to log the authenticated user back to the server.
> 
> Am I missing something?  How do other people handle
this?
> 
> Is Zope the only WSGI application that performs
authentication
> itself?

I do the authentication in my apps, but I am sloppy and do
not record it 
;)  Well, that's not completely true.  In the rough access
logger in 
Paste (http://pythonpaste.org/paste/translogger.py.html?
f=8&l=80#8) I 
include environ['REMOTE_USER'] if it is present.  So if the
WSGI environ 
that the middleware sees initially is the same environ that
the 
authenticator writes too, then the middleware will see that
change on 
the way out and include it.  Using a header would solve the
problem 
where the environment is completely changed (unlikely), or
copied before 
REMOTE_USER is assigned (fairly likely).

I can imagine a convention of X-WSGI-Authenticated, where
X-WSGI-* gets 
stripped by the server, and any middleware that is
interested can watch 
for these headers.  Another option is a callback, but
potentially 
multiple middleware's will be interested (multiple logs
isn't hard to 
imagine), and that complicates the callback.

-- 
Ian Bicking  |  ianbcolorstudy.com  |  http://blog.ianbicking.org

_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com

Ian Bicking wrote:
> Jim Fulton wrote:
> 
>> Typically, web servers provide access logs that
include a label
>> for the authenticated user.
>>
>> Often, WSGI applications (or middleware) provide
their own user
>> authentication facilities.  Well, Zope does. 
>>
>> There doesn't seem to be a standard way for WSGI
applications or
>> middleware to communicate the information necessary
for a server
>> to log the authenticated user back to the server.
>>
>> Am I missing something?  How do other people handle
this?
>>
>> Is Zope the only WSGI application that performs
authentication
>> itself?
> 
> 
> I do the authentication in my apps,

Cool.

 > but I am sloppy and do not record it
> ;)  Well, that's not completely true.  In the rough
access logger in 
> Paste (http://pythonpaste.org/paste/translogger.py.html?
f=8&l=80#8) I 
> include environ['REMOTE_USER'] if it is present.   So
if the WSGI environ
> that the middleware sees initially is the same environ
that the 
> authenticator writes too, then the middleware will see
that change on 
> the way out and include it.  Using a header would solve
the problem 
> where the environment is completely changed (unlikely),
or copied before 
> REMOTE_USER is assigned (fairly likely).
> 
> I can imagine a convention of X-WSGI-Authenticated,
where X-WSGI-* gets 
> stripped by the server,

Works for me.

 > and any middleware that is interested can watch
> for these headers.  Another option is a callback, but
potentially 
> multiple middleware's will be interested (multiple logs
isn't hard to 
> imagine), and that complicates the callback.

I think just scribbling a value into the env or headers is
fine.

JIm

-- 
Jim Fulton           mailto:jimzope.com       Python
Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org
_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com

On Sunday 22 January 2006 11:34, Phillip J. Eby wrote:
> >Is Zope the only WSGI application that performs
authentication
> >itself?
>
> I think Zope is the only WSGI application that cares
about communicating
> this information back to the web server's logs.    Or at
least, the only
> one whose author has said so.  

Well, I originally worked with Itamar and James on the
Twisted integration 
into Zope 3, when we noticed this problem.

> Perhaps an "X-Authenticated-User: foo" header
could be added in a future
> spec version?  (And as an optional feature in the
current PEP.)  This seems
> a simpler way to incorporate the feature than adding an
extension API to
> environ.

 We considered and even implemented originally suggestions
you made, but 
considered it a security problem and dismissed it. And a
"convention" is not 
really a viable solution either, since it defeats the point
of a non-specific 
API, like WSGI.

We thought about the problem quiet a bit and decided that
the user is really 
the only thing that the log really has to know from the
application. So a 
simple callback that expects a simple string would be just
fine.

Regards,
Stephan
-- 
Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D.
student)
Web2k - Web Software Design, Development and Training
_______________________________________________
Web-SIG mailing list
Web-SIGpython.org
Web SIG: http://www.python.
org/sigs/web-sig
Unsubscribe: http://mail.python.org/mailman/options/web-sig/bo
nd%40yahoo.com