[ckan-dev] repoze.who vs IAuthenticator

Sean Hammond sean.hammond at okfn.org
Mon Jun 16 19:56:44 UTC 2014


> I see there are two ways to write an authentication plugin for CKAN -
> one is to use the repoze.who middleware, the other is to write a CKAN
> plugin that implements ckan.plugins.IAuthenticator.
> 
> I can see both in use out there (eg.
> https://github.com/GSA/ckanext-saml2 uses IAuthenticator while
> https://github.com/kata-csc/ckanext-shibboleth uses repoze.who). 
> 
> Does anyone know how the two approaches differ? 

Having never tried the repoze.who middleware approach I don't know what
the pros and cons are, but I think IAuthenticator is the "official" way
(was developed by the core team, while repoze.who already existed, I'm
assuming there must have been a reason they didn't just write repoze.who
middleware).

I haven't had much experience with it, but from what I've overheard from
other core devs, it didn't sound like they were big fans of repoze.who,
so that might be one reason for IAuthenticator.

Another is probably just to avoid coupling CKAN auth plugins to
repoze.who.

Personally I can recommend IAuthenticator, it's simple and easy to use.
Here's a couple more examples:

https://github.com/ckan/ckanext-persona

https://github.com/ckan/ckanext-oauth2waad

(Though note that both of those currently implement the abort() method
wrongly.)

IAuthenticator could do with better docstrings and an example plugin,
though.



More information about the ckan-dev mailing list