[Twisted-Python] twisted cred: why does avatarId need to be a str?
Glyph Lefkowitz
glyph at twistedmatrix.com
Wed Sep 8 16:46:06 EDT 2010
On Sep 8, 2010, at 1:27 PM, Stephen Waterbury wrote:
> Neither the OP nor Glyph use the term
> "authorization" in either of their messages, but that concept
> is clearly involved and is almost always useful for
> clarification.
The checker authenticates; the realm authorizes.
Authorization proceeds from the realm's idea of what a particular avatar ID (and, apparently, mind, as laurens has discovered this particular loophole in the API) is authorized to do; authentication proceeds from what the checker thinks makes some credentials valid.
As you put it:
> Once that interaction is complete, the app knows
> the identity associated with the TGT has been authenticated, and
> it can proceed with authorization, which of course depends on
> each application's context, and is completely separate from
> authentication.
replace "application" with "realm" here and that's basically how twisted.cred works.
The reason I didn't use the term authorization in my original message is that we're talking about an authentication protocol, and hopefully authorization can stay out of it :).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20100908/325de3c3/attachment.htm
More information about the Twisted-Python
mailing list