Simon Willison’s Weblog

datasette-auth-passwords. My latest plugin: datasette-auth-passwords provides a mechanism for signing into Datasette using a username and password (which is verified in order to set a ds_actor authentication cookie). So far it only supports passwords that are hard-coded into Datasette’s configuration via environment variables, but I plan to add database-backed user accounts in the future.

# 13th July 2020, 11:39 pm / authentication, passwords, plugins, projects, datasette

NGINX: Authentication Based on Subrequest Result (via) TIL about this neat feature of NGINX: you can use the auth_request directive to cause NGINX to make an HTTP subrequest to a separate authentication server for each incoming HTTP request. The authentication server can see the cookies on the incoming request and tell NGINX if it should fulfill the parent request (via a 2xx status code) or if it should be denied (by returning a 401 or 403). This means you can run NGINX as an authenticating proxy in front of any HTTP application and roll your own custom authentication code as a simple webhook-recieving endpoint.

# 4th October 2019, 3:36 pm / authentication, nginx, webhooks

django-piston. Promising looking Django mini-framework for creating RESTful APIs, from the bitbucket team. Ticks all of Jacob’s boxes, even including built-in pluggable authentication support with HTTP Basic, Digest and OAuth out of the box.

# 30th April 2009, 7:55 pm / apis, authentication, bitbucket, digest, django, jespernoehr, oauth, piston, python, rest, restful

Google’s Usability Research on Federated Login. Fascinating—suggests an approach to federated auth based on the Amazon.com “Yes, I have a password” login flow. Feels convoluted to me but apparently it tests really well against a mainstream audience. The more research shared around this stuff the better.

# 22nd September 2008, 8:56 pm / amazon, authentication, federated, google, login, openid, usability

Django snippets: Authenticate against Active Directory. Uses a custom authentication backend with the Python ldap module. If Django hasn’t seen the user before a new Django user account is created with data from ldap.

# 10th December 2007, 8:40 am / activedirectory, authentication, django, ldap, python

OAuth Core 1.0. The final spec. Expect to see this crop up all over the place in the next few months.

# 5th December 2007, 3:39 am / apis, authentication, oauth

OAuth: Your valet key for the Web. OAuth is a really important new specification that aims to solve the “give this application permission to do X on my behalf” problem once and for all.

# 21st September 2007, 11:34 pm / apis, authentication, oauth, openid, specification, web-services

Jottit. Aaron Swartz’s latest venture: a complete rethink of the Infogami concept. Well worth checking out for the extremely thoughtful way it introduces features, and the way account creation with a password remains optional until you want to add access control.

# 16th September 2007, 9:43 pm / aaron-swartz, authentication, bitbots, infogami, jottit, usability, userflow, wiki

Wrong-headed impersonation. Kim Cameron discusses user absent authentication, and emphasises the importance of delegation using delegation coupons.

# 5th March 2007, 2:38 pm / authentication, delegation, delegationcoupons, identity, kimcameron