[Twisted-Python] twisted cred: why does avatarId need to be a str?

Glyph Lefkowitz glyph at twistedmatrix.com
Wed Sep 8 16:46:06 EDT 2010

On Sep 8, 2010, at 1:27 PM, Stephen Waterbury wrote:

> Neither the OP nor Glyph use the term
> "authorization" in either of their messages, but that concept
> is clearly involved and is almost always useful for
> clarification.

The checker authenticates; the realm authorizes.

Authorization proceeds from the realm's idea of what a particular avatar ID (and, apparently, mind, as laurens has discovered this particular loophole in the API) is authorized to do; authentication proceeds from what the checker thinks makes some credentials valid.

As you put it:

> Once that interaction is complete, the app knows
> the identity associated with the TGT has been authenticated, and
> it can proceed with authorization, which of course depends on
> each application's context, and is completely separate from
> authentication.

replace "application" with "realm" here and that's basically how twisted.cred works.

The reason I didn't use the term authorization in my original message is that we're talking about an authentication protocol, and hopefully authorization can stay out of it :).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20100908/325de3c3/attachment.htm 

More information about the Twisted-Python mailing list