Feature: allow for pluggable authentication methods

benvanstaveren / Mojolicious-Plugin-Authentication

A plugin to make authentication a bit easier

http://search.cpan.org/dist/Mojolicious-Plugin-Authentication/

Other

20 stars 17 forks source link

Feature: allow for pluggable authentication methods #25

Open jjatria opened 7 years ago

jjatria commented 7 years ago

This issue is to track the inclusion of other authentication methods, as suggested by @carragom in #16.

From that issue:

We should probably bundle the plugin with at least BASIC and SESSION strategies.

More complex strategies like JWT would probably require some extra dependencies so they should probably be distributed independently. Mojolicious::Plugin::Authentication::JWT and Mojolicious::Plugin::Authentication::APIKey maybe ?

Currently, the only way to allow for these alternative authentication methods is to bypass the authentication plugin and setting the current user manually. The feature discussed here would solve this in a more controlled manner (while still giving the user the freedom to crash and burn if they want).

Contributions and discussion are welcome!

benvanstaveren commented 7 years ago

I'll re-iterate my statement from issue #16 and say that I'm a fan of the pluggable strategy way of doing things, still not entirely sure on the details of it but that's the general direction I'm leaning towards :)

mohawk2 commented 4 years ago

As part of a discussion on #mojo, the following ideas came up ref plugins:

allowing for OAuth2 / OpenID in the architecture should then allow for anything else less complex to also fit in
the best Mojolicious auth plugin may currently be https://metacpan.org/pod/Mojolicious::Plugin::OAuth2
another model to follow would be https://metacpan.org/release/Catalyst-Plugin-Authentication due to its pragmatic design (and certainly to look at its tests for ideas)
generally under should be the mechanism for authentication, and over (and the condition "authenticate" in this module) should not be used
https://metacpan.org/release/Mojo-SAML should be looked at too as SAML is another relevant system

mohawk2 commented 4 years ago

@jberger also suggests https://metacpan.org/pod/Net::SAML2 is a good implementation.

jjatria commented 4 years ago

@mohawk2 Are there any links / logs to the discussion on #mojo? I don't think I've seen anything, and I'm curious about the under / over issues (not because I'm particularly partial to either, just curious).

mohawk2 commented 3 years ago

Logging is forbidden on #mojo, so no. While I think of it, could you release M::P::A? The async code has been merged (thanks!) but not yet released?

jjatria commented 3 years ago

My apologies.

I pushed it out as a TRIAL release, and there were some test failures reported by CPAN testers that I didn't have the time to track down at the time: http://matrix.cpantesters.org/?dist=Mojolicious-Plugin-Authentication%201.34-TRIAL

Looking at them now, it seems there's only two failures out of 194 tests, so it's not as bad as I had thought. Then again, one of them seems to have died with

Can't use string ("Mojo::Promise") as a HASH ref

I seem to remember trying to reach out on IRC when I got this report, but that message must have got lost in the mists of time. I'll see if I can see anything suspicious with the code, and hopefully push out a proper release.