This module contains Gate One's authentication classes. They map to Gate One's --auth configuration option like so:
--auth=none | NullAuthHandler |
--auth=kerberos | KerberosAuthHandler |
--auth=google | GoogleAuthHandler |
--auth=pam | PAMAuthHandler |
--auth=api | APIAuthHandler |
Note
API authentication is handled inside of Gate One
By default Gate One will not authenticate users. This means that user sessions will be tied to their browser cookie and users will not be able to resume their sessions from another computer/browser. Most useful for situations where session persistence and logging aren't important.
All users will show up as ANONYMOUS using this authentication type.
Kerberos authentication utilizes GSSAPI for Single Sign-on (SSO) but will fall back to HTTP Basic authentication if GSSAPI auth fails. This authentication type can be integrated into any Kerberos infrastructure including Windows Active Directory.
It is great for both transparent authentication and being able to tie sessions and logs to specific users within your organization (compliance).
Note
The sso.py module itself has extensive documentation on this authentication type.
If you want persistent user sessions but don't care to run your own authentication infrastructure this authentication type is for you. Assuming, of course, that your Gate One server and clients will have access to the Internet.
Note
This authentication type is perfect if you're using Chromebooks (Chrome OS devices).
API-based authentication is actually handled in gateone.py but we still need something to exist at the /auth URL that will always return the 'unauthenticated' response. This ensures that no one can authenticate themselves by visiting that URL manually.
Given a user dict, return a dict containing any additional attributes defined in Gate One's attribute repositories.
Note
This function doesn't actually work yet (support for attribute repos like LDAP is forthcoming).
The base class for all Gate One authentication handlers.
Called immediately after a user authenticates successfully. Saves session information in the user's directory. Expects user to be a dict containing a 'upn' value representing the username or userPrincipalName. e.g. 'user@REALM' or just 'someuser'. Any additional values will be attached to the user object/cookie.
A handler for when no authentication method is chosen (i.e. --auth=none). With this handler all users will show up as "ANONYMOUS".
A handler that always reports 'unauthenticated' since API-based auth doesn't use auth handlers.
Google authentication handler using Tornado's built-in GoogleMixin (fairly boilerplate).
SSL Certificate-based authentication handler. Can only be used if the ca_certs option is set along with ssl_auth=required or ssl_auth=optional.
Handles authenticating users via Kerberos/GSSAPI/SSO.