Context
My app relies on external service for authentication, python API has function authentiate_request witch takes
request instance as a param, and returns result dict:
if auth was successful, dict contains 3 keys:
if unsuccessful:
Now, call to this function is relatively expensive (is does HTTP POST underneath).
Question
I'm new to Pyramid security model, and I'm struggling how to use existing/properly write AuthenticationPolicy for my app, so it uses my auth service, and does not call it's API more than once per session (In auth success scenario)?
There are two broad ways to do integrate custom auth with Pyramid: - write your own authentication policy for Pyramid (I haven't done this) - write your own middleware to deal with your auth issues, and use the RemoteUserAuthenticationPolicy in Pyramid (I have done this)
For the second, you write some standard wsgi middleware, sort out your custom authentication business in there, and then write to the wsgi env. Pyramid authorization will then work fine, with the Pyramid auth system getting the user value from the wsgi env's 'REMOTE_USER' setting.
I personally like this approach because it's easy to wrap disparate apps in your middleware, and dead simple to turn it off or swap it out. While not really the answer to exactly what you asked, that might be a better approach than what you're trying.