wsgi-auth-middleware provides WSGI middleware to perform HTTP authentication (RFC7235) using a variety of schemes.
Each backend requires additional dependencies that must be explicitly chosen using the PEP508 Extras that cover it. The following command will install wsgi-auth-middleware with all supported backends.
pip install wsgi-auth-middleware[gssapi,pam]This middleware package provides the HttpAuthWsgiMiddleware class and various callables that implement authentication primitives. The result of wrapping a WSGI app with HttpAuthWsgiMiddleware will be a new WSGI app that performs HTTP authentication and, upon success, places the authenticated username string in environ["REMOTE_USER"].
wsgi-auth-middleware is designed to be flexible. You can mix and match HTTP authentication schemes (frontends) with any system authentication backends that support their interfaces. Typical usage looks like this:
from wsgi_auth_middleware import HttpAuthWsgiMiddleware
from wsgi_auth_middleware.frontends import BasicFrontend, NegotiateFrontend
from wsgi_auth_middleware.backends import PamBackend, GssapiBackend
pam_backend = PamBackend(service='my_pam_service')
basic_frontend = BasicFrontend(auth_backends=[pam_backend], realm='my realm')
gssapi_backend = GssapiBackend(fqdn='example.org')
negotiate_frontend = NegotiateFrontend(auth_backends=[gssapi_backend])
# Authentication will be tried in the sequential order given by `auth_frontends`.
authenticated_app = HttpAuthWsgiMiddleware(
app=my_wsgi_app,
auth_frontends=[negotiate_frontend, basic_frontend]
)- RFC7235 - Hypertext Transfer Protocol (HTTP/1.1): Authentication
- RFC7617 - The 'Basic' HTTP Authentication Scheme
- (Kerberos only) RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
- PEP 3333 – Python Web Server Gateway Interface v1.0.1
- A very basic description of authentication opportunities in WSGI
wsgi-auth-middleware is distributed under the terms of the ISC license.