> Read the latest version of this page
Edit me on GitHub

pyramid.authentication

Authentication Policies

class AuthTktAuthenticationPolicy(secret, callback=None, cookie_name='auth_tkt', secure=False, include_ip=False, timeout=None, reissue_time=None, max_age=None, path='/', http_only=False, wild_domain=True)[source]

A Pyramid authentication policy which obtains data from an paste.auth.auth_tkt cookie.

Constructor Arguments

secret

The secret (a string) used for auth_tkt cookie signing. Required.

callback

Default: None. A callback passed the userid and the request, expected to return None if the userid doesn’t exist or a sequence of principal identifiers (possibly empty) if the user does exist. If callback is None, the userid will be assumed to exist with no principals. Optional.

cookie_name

Default: auth_tkt. The cookie name used (string). Optional.

secure

Default: False. Only send the cookie back over a secure conn. Optional.

include_ip

Default: False. Make the requesting IP address part of the authentication data in the cookie. Optional.

timeout

Default: None. Maximum number of seconds which a newly issued ticket will be considered valid. After this amount of time, the ticket will expire (effectively logging the user out). If this value is None, the ticket never expires. Optional.

reissue_time

Default: None. If this parameter is set, it represents the number of seconds that must pass before an authentication token cookie is automatically reissued as the result of a request which requires authentication. The duration is measured as the number of seconds since the last auth_tkt cookie was issued and ‘now’. If this value is 0, a new ticket cookie will be reissued on every request which requires authentication.

A good rule of thumb: if you want auto-expired cookies based on inactivity: set the timeout value to 1200 (20 mins) and set the reissue_time value to perhaps a tenth of the timeout value (120 or 2 mins). It’s nonsensical to set the timeout value lower than the reissue_time value, as the ticket will never be reissued if so. However, such a configuration is not explicitly prevented.

Optional.

max_age

Default: None. The max age of the auth_tkt cookie, in seconds. This differs from timeout inasmuch as timeout represents the lifetime of the ticket contained in the cookie, while this value represents the lifetime of the cookie itself. When this value is set, the cookie’s Max-Age and Expires settings will be set, allowing the auth_tkt cookie to last between browser sessions. It is typically nonsensical to set this to a value that is lower than timeout or reissue_time, although it is not explicitly prevented. Optional.

path

Default: /. The path for which the auth_tkt cookie is valid. May be desirable if the application only serves part of a domain. Optional.

http_only

Default: False. Hide cookie from JavaScript by setting the HttpOnly flag. Not honored by all browsers. Optional.

wild_domain

Default: True. An auth_tkt cookie will be generated for the wildcard domain. Optional.

Objects of this class implement the interface described by pyramid.interfaces.IAuthenticationPolicy.

class RepozeWho1AuthenticationPolicy(identifier_name='auth_tkt', callback=None)[source]

A Pyramid authentication policy which obtains data from the repoze.who 1.X WSGI ‘API’ (the repoze.who.identity key in the WSGI environment).

Constructor Arguments

identifier_name

Default: auth_tkt. The repoze.who plugin name that performs remember/forget. Optional.

callback

Default: None. A callback passed the repoze.who identity and the request, expected to return None if the user represented by the identity doesn’t exist or a sequence of principal identifiers (possibly empty) representing groups if the user does exist. If callback is None, the userid will be assumed to exist with no group principals.

Objects of this class implement the interface described by pyramid.interfaces.IAuthenticationPolicy.

class RemoteUserAuthenticationPolicy(environ_key='REMOTE_USER', callback=None)[source]

A Pyramid authentication policy which obtains data from the REMOTE_USER WSGI environment variable.

Constructor Arguments

environ_key

Default: REMOTE_USER. The key in the WSGI environ which provides the userid.

callback

Default: None. A callback passed the userid and the request, expected to return None if the userid doesn’t exist or a sequence of principal identifiers (possibly empty) representing groups if the user does exist. If callback is None, the userid will be assumed to exist with no group principals.

Objects of this class implement the interface described by pyramid.interfaces.IAuthenticationPolicy.

class SessionAuthenticationPolicy(prefix='auth.', callback=None)[source]

A Pyramid authentication policy which gets its data from the configured session. For this authentication policy to work, you will have to follow the instructions in the Sessions to configure a session factory.

Constructor Arguments

prefix

A prefix used when storing the authentication parameters in the session. Defaults to ‘auth.’. Optional.

callback

Default: None. A callback passed the userid and the request, expected to return None if the userid doesn’t exist or a sequence of principal identifiers (possibly empty) if the user does exist. If callback is None, the userid will be assumed to exist with no principals. Optional.

Helper Classes

class AuthTktCookieHelper(secret, cookie_name='auth_tkt', secure=False, include_ip=False, timeout=None, reissue_time=None, max_age=None, http_only=False, path='/', wild_domain=True)[source]

A helper class for use in third-party authentication policy implementations. See pyramid.authentication.AuthTktAuthenticationPolicy for the meanings of the constructor arguments.

auth_tkt = <module 'paste.auth.auth_tkt' from '/home/docs/checkouts/readthedocs.org/user_builds/pyramid/envs/1.1-branch/local/lib/python2.7/site-packages/paste/auth/auth_tkt.pyc'>
forget(request)[source]

Return a set of expires Set-Cookie headers, which will destroy any existing auth_tkt cookie when attached to a response

identify(request)[source]

Return a dictionary with authentication information, or None if no valid auth_tkt is attached to request

remember(request, userid, max_age=None, tokens=())[source]

Return a set of Set-Cookie headers; when set into a response, these headers will represent a valid authentication ticket.

max_age
The max age of the auth_tkt cookie, in seconds. When this value is set, the cookie’s Max-Age and Expires settings will be set, allowing the auth_tkt cookie to last between browser sessions. If this value is None, the max_age value provided to the helper itself will be used as the max_age value. Default: None.
tokens
A sequence of strings that will be placed into the auth_tkt tokens field. Each string in the sequence must be of the Python str type and must match the regex ^[A-Za-z][A-Za-z0-9+_-]*$. Tokens are available in the returned identity when an auth_tkt is found in the request and unpacked. Default: ().

Table Of Contents

Previous topic

pyramid.authorization

Next topic

pyramid.chameleon_text