[Web-SIG] Communicating authenticated user information

[Ian Bicking]

Jim Fulton wrote:
> Typically, web servers provide access logs that include a label
> for the authenticated user.
> 
> Often, WSGI applications (or middleware) provide their own user
> authentication facilities.  Well, Zope does. :)
> 
> There doesn't seem to be a standard way for WSGI applications or
> middleware to communicate the information necessary for a server
> to log the authenticated user back to the server.
> 
> Am I missing something?  How do other people handle this?
> 
> Is Zope the only WSGI application that performs authentication
> itself?

I do the authentication in my apps, but I am sloppy and do not record it 
;)  Well, that's not completely true.  In the rough access logger in 
Paste (http://pythonpaste.org/paste/translogger.py.html?f=8&l=80#8) I 
include environ['REMOTE_USER'] if it is present.  So if the WSGI environ 
that the middleware sees initially is the same environ that the 
authenticator writes too, then the middleware will see that change on 
the way out and include it.  Using a header would solve the problem 
where the environment is completely changed (unlikely), or copied before 
REMOTE_USER is assigned (fairly likely).

I can imagine a convention of X-WSGI-Authenticated, where X-WSGI-* gets 
stripped by the server, and any middleware that is interested can watch 
for these headers.  Another option is a callback, but potentially 
multiple middleware's will be interested (multiple logs isn't hard to 
imagine), and that complicates the callback.

-- 
Ian Bicking  |  ianb at colorstudy.com  |  http://blog.ianbicking.org