geofront.team — Team authentication

Geofront doesn’t force you to manage team members by yourself. Instead it hides how to manage team members, and offers Team, the layering interface to implement custom team data provider e.g. GitHubOrganization.

It is theologically possible to implement a straightforward RDBMS-backed team provider, but we rather recommend to adapt your existing team data instead e.g. GitHub organization, Google Apps organization, Bitbucket team.

exception geofront.team.AuthenticationError

Authentication exception which rise when the authentication process has trouble including network problems.

class geofront.team.Team

Backend interface for team membership authentication.

Authorization process consists of three steps (and therefore every backend subclass has to implement these three methods):

  1. request_authentication() makes the url to interact with the owner of the identity to authenticate. I.e. the url to login web page of the backend service.
  2. authenticate() finalize authentication of the identity, and then returns Identity.
  3. authorize() tests the given Identity belongs to the team. It might be a redundant step for several backends, but is a necessary step for some backends that distinguish identity authentication between team membership authorization. For example, Any Gmail users can authenticate they own their Gmail account, but only particular users can authenticate their account belongs to the configured Google Apps organization.
authenticate(auth_nonce: str, requested_redirect_url: str, wsgi_environ: collections.abc.Mapping) → geofront.identity.Identity

Second step of authentication process, to create a verification token for the identity. The token is used by authorize() method, and the key store as well (if available).

Parameters:
Returns:

an identity which contains a verification token
Return type:

Identity
Raises geofront.team.AuthenticationError:
 

when something goes wrong e.g. network errors, the user failed to verify their ownership
authorize(identity: geofront.identity.Identity) → bool

The last step of authentication process. Test whether the given identity belongs to the team.

Note that it can be called every time the owner communicates with Geofront server, out of authentication process.

Parameters:identity (Identity) – the identity to authorize
Returns:True only if the identity is a member of the team
Return type:bool
list_groups(identity: geofront.identity.Identity) → collections.abc.Set

List the all groups that the given identity belongs to. Any hashable value can be an element to represent a group e.g.:

{1, 4, 9}

Or:

{'owners', 'programmers'}

Whatever value the set consists of these would be referred by Remote objects.

Some team implementations might not have a concept like groups. It’s okay to return always an empty set then.

Parameters:identity (Identity) – the identity to list his/her groups
Returns:the set of groups associated with the identity
Return type:collections.abc.Set

New in version 0.2.0.

request_authentication(auth_nonce: str, redirect_url: str) → str

First step of authentication process, to prepare the “sign in” interaction with the owner. It typically returns a url to the login web page.

Parameters:
  • auth_nonce (str) – a random string to guarantee it’s a part of the same process to following authenticate() call which is the second step
  • redirect_url (str) – a url that owner’s browser has to redirect to after the “sign in” interaction finishes
Returns:

a url to the web page to interact with the owner in their browser
Return type:

str