Comments on: RPC and Authentication

By: David

David — Fri, 02 Oct 2009 05:58:21 +0000

I'm leaning toward using the RemoteUserMiddleware, but that means making the authentication only compatible with Django 1.1+. However, this makes a lot of sense given that I'm using a server based authentication system. If in the future, I decide to support a session based authentication system, hopefully I can use a different middleware for that.

By: David

David — Mon, 21 Sep 2009 16:08:09 +0000

@aaloy This same type of authentication is supported by XMLRPC clients in at least Java and PHP and you are using it in Javascript. In addition, if the RPC client is on the same port, domain and protocol as the rest of your website, then once a user is authenticated in a browser session, all future requests for that session will contain the authentication information. This is why the simple Javascript JSONRPC client on the demo site's method summary page still works. This is nice because you don't even have to use a fancy Javascript library like qooxdoo. Just tie your Apache authentication to your Django user database and you're done! There really isn't a whole lot of work to be done to add this authentication so I think I can handle it. However, I am always willing to accept a patch if you contribute something.

By: aaloy

aaloy — Mon, 21 Sep 2009 10:33:37 +0000

I like this approach, in fact Qooxdoo people in their API also suposes this kind of authentication, see: http://demo.qooxdoo.org/current/apiviewer/#qx.io.remote.Rpc

To be consistent with Django I agree with you that user authentication should come in the HTTP header. The only risk I see in this is to be able to comunicate with non Python clients (Qooxdoo for me) and not make it just Python based.

Please let me know if I can help in any way.