Implemented PluggableAuthService Interfaces

The PluggableAuthService plugins in this package implement interfaces defined in the PluggableAuthService package.

interface Products.PluggableAuthService.interfaces.plugins.IAuthenticationPlugin

Map credentials to a user ID.


credentials -> (userid, login)

o ‘credentials’ will be a mapping, as returned by IExtractionPlugin.

o Return a tuple consisting of user ID (which may be different

from the login name) and login

o If the credentials cannot be authenticated, return None.

interface Products.PluggableAuthService.interfaces.plugins.IChallengePlugin

Initiate a challenge to the user to provide credentials.

Challenge plugins have an attribute ‘protocol’ representing the protocol the plugin operates under, defaulting to None.

Plugins operating under the same protocol will all be given an attempt to fire. The first plugin of a protocol group that successfully fires establishes the protocol of the overall challenge.

challenge(request, response)

Assert via the response that credentials will be gathered.

Takes a REQUEST object and a RESPONSE object.

Returns True if it fired, False otherwise.

Two common ways to initiate a challenge:

  • Add a ‘WWW-Authenticate’ header to the response object.

    NOTE: add, since the HTTP spec specifically allows for more than one challenge in a given response.

  • Cause the response object to redirect to another URL (a login form page, for instance)

interface Products.PluggableAuthService.interfaces.plugins.ICredentialsResetPlugin

Callback: user has logged out.

resetCredentials(request, response)

Scribble as appropriate.

interface Products.PluggableAuthService.interfaces.plugins.IExtractionPlugin

Extracts login name and credentials from a request.


request -> {…}

o Return a mapping of any derived credentials.

o Return an empty mapping to indicate that the plugin found no

appropriate credentials.

interface Products.PluggableAuthService.interfaces.plugins.IPropertiesPlugin

Return a property set for a user.

getPropertiesForUser(user, request=None)

user -> empty dict

o User will implement IPropertiedUser.

o Plugin should return a dictionary or an object providing


o Plugin may scribble on the user, if needed (but must still

return a mapping, even if empty).

o May assign properties based on values in the REQUEST object, if