Agreed. It is not a Janrain specific issue, I am sure the same applies for
other non-local authentication schemes. In other systems I have
implemented in the past I would allow authentication externally, but
configured authorization separately. An example from my past: I have a
webapp that I would like to use Active Directory authentication for.
Unfortunately, the audience of authorized users is not the entire company.
In that case a local database table with a list of authorized users was
appropriate.
In other cases maybe it makes sense to allow users to "request access" and
that access to be approved or denied by a system admin. { similar to the
approval functionality in the default/user/register code }
I suppose as a broader question, I should ask... First, is there already a
mechanism to separate the functions of authentication and authorization?
It seems to me that currently if authentication succeeds, that is it...
There is no authorization step. Second, if the first answer is no, would
it be desirable to add an extensible authorization capability to the
framework?
Thoughts?
On Tuesday, July 10, 2012 1:45:00 PM UTC-4, Massimo Di Pierro wrote:
>
> Your problem is limiting the number of users who can sign in. I am not
> sure this is a janrain issue.
> You need to handle it somehow at the web2py level and it should be
> independent on which method you use for authentication (janrain or other).
>
> It can be done but how it is done depends on the details of your policy.
>
>
>
>
> On Tuesday, 10 July 2012 11:40:08 UTC-5, Dave wrote:
>>
>> I spent some time searching for this and have not come up with much.
>>
>> Has anybody implemented or tried to implement user authorization (read:
>> limit users that may sign in) with Janrain?
>>
>> I think there are two possibilities here... The first possibility falls
>> under standard authorization where you define a "list" of users that are
>> authorized somewhere in db.auth* which is consulted at login. Of course,
>> there is a potential issue with impersonation where someone other than the
>> intended user registers a FaceBook, LinkedIn, etc account...
>>
>> The other path would be to either gate registration similar
>> to auth.settings.registration_requires_approval = True for builtin
>> authentication. That should be fairly easy to implement. OR.. Leave the
>> Janrain user creation alone and assign a group permission to controller
>> methods. The downside here is existing site code would have to be
>> refactored if someone wants to go from local auth to janrain. For example,
>> @auth.requires_login() would have to become
>> @auth.requires_membership('authorized') for the same level of security.
>>
>> Would anybody (besides me) be interested in this?
>>
>> I could work up some code
>>
>
