[Baypiggies] Authkit, OpenID, Click Pass, and local accounts... aka AuthMess

[Jeff Younker]

I'm in the process of putting together an authentication system for an  
application
based on the most recent stable version of CherryPy.   My feeling is  
that AuthKit
is the way to go for authentication and authorization, but I'm not  
sure how integrating
it with CherryPy will go.  (If you have any suggests or alternatives  
then I'd love
to hear about them.)

That said, the real questions I have relate to authentication  
options.  For most
of the public facing users we'd like to use OpenID.  Each OpenID  
instance will
be linked to local account.   When a user connects for the first time  
we'll need
to do some sort automagic account creation.  (Any suggestions or  
caveats about
this aspect are appreciated.)

I'm intensely wary of using OpenID for the only authentication  
mechanism, because
external authentication systems have a way of failing when  
administrators most
need them.  Because of this admin accounts will also be able to log in  
through
normal password mechanisms.

In addition, it seems that OpenID is a little unfriendly.  Opaque URLs  
are scary,
so the login screens will use something along the lines of "use your  
google/msn/
yahoo account to connect to our system," to which the user selects  
one. Now
it seems to me that this part of the system could be rather painful to  
implement.

To that end I've started looking at Click Pass.  I don't have a good  
feeling for
how it would integrate with AuthKit, or the wisdom of going through  
their
service for authorization.  Given OpenID's nature it seems like, this  
shouldn't
really be a problem, but I just don't have a intuition on this one.   
I'd also love
to hear any stories about using their service rather than rolling your  
own.

- Jeff Younker - jeff at drinktomi.com -