Open main menu

RestAuth β


Upcoming RestAuth 0.7, new "REPs", RestAuthCommon 0.7.0

RestAuth version 0.7 is scheduled for release soon. We are happy with the changes but intend to update RestAuth and RestAuthClient first to make sure no inconsistencies or problems have arisen.

  • The new protocol version was influenced from real-world experience and features several new requests and parameters to speed up RestAuth significantly.
  • This release will also features the first incompatibility previous protocol versions: Getting and setting a property will return a dictionary, confusing client libraries that don't understand the new version. Due to the new X-RestAuth-Version header, we will make sure that the server will return data in the correct format for old clients.
  • Many minor improvements as well, see Specificiation for a full list of changes.

Additionally, we now also have RestAuth enhancement proposals. They will be primarily used to specify new data formats (JSON is now also specified in an REP) and functionality outside of the core protocol.

We've also just release RestAuthCommon 0.7.0, see the ChangeLog for a full list of changes.

-- mati (talk) 12:16, 23 January 2015 (CET)

RestAuthClient 0.6.2

RestAuthClient 0.6.2 was just released. This project is now also hosted on github and requires Python2.7 or later. Other major changes are:

  • Move the user and group-management to consistent classes, restauth_user.User becomes user.RestAuthUser and group.Group becomes group.RestAuthGroup. The guide gives some migration help. Note that all old paths still exist but give a warning.
  • The factory methods get(), get_all(), create and create_test() are now class methods. So restauth_user.get_all becomes user.RestAuthUser.get_all.
  • All methods that return a list of instances now offer a flat parameter if you don't care about getting instances back.
  • The RestAuthConnection object now offers a timeout and source_address parameter.
  • When using Python3, you can pass an ssl_context parameter, if ommitted, a sensible default is used.

A full ChangeLog is available on git.

-- Mati (talk) 20:21, 8 September 2014 (CEST)

RestAuthCommon 0.6.4

RestAuthCommon 0.6.4 was just released. It contains only two significant updates:

  • The BSON content handler now supports the pymongo package, which resides in the same python namespace as the pure python implementation. As a bonus, this enables BSON support for Python 3.
  • Fixed compatibility issues with Python 2.6 and Python 3.4

The package is already available on PyPI and Debian packages are available for Debian Stable/Testing/Unstable as well as ubuntu 12.04, 12.10, 13.10 and 14.04.

-- Mati (talk) 19:16, 2 March 2014 (CET)

RestAuthCommon 0.6.3

RestAuthCommon 0.6.3 was just released. As with RestAuth before, RestAuthCommon now lives [on github]. Changes include:

  • New MessagePack and BSON content handlers.
  • All marshalling/serialization functions are now agnostic towards their parameters:
    • In Python 2, a function can receive either unicode or str.
    • In Python 3, a function can receive either str or bytes.
    • The above is also true for lists and dicts.
    • Output is identical regardless of the input type.
  • All unmarshalled data will be a unicode object in Python 2 and a str object in Python 3.
  • A generic constructor allows individual configuration for content handler instances.

-- Mati (talk) 21:57, 1 March 2014 (CET)

RestAuth 0.6.4

RestAuth 0.6.4 was released last week. We took a little time with the announcement because of Debian packaging problems. This release is primarily a maintenance release:

  • The official repository now lives on GitHub. Other RestAuth-related repositories will move there soon as well.
  • RestAuth now requires Django 1.6 or newer and uses the app-layout introduced in Django 1.5.
  • Fixed installation via pip.
  • More consistently lowercase input and output names of users and groups.
  • SECURE_CACHE is now True by default, since the default cache is an in-memory cache anyway.
  • The command-line scripts are now fully tested by the testsuite, many bugs where found & fixed there.

A few new features are there as well:

  • The restauth import data format now just has a raw 'hash' key which contains a raw hash as stored by the application (plus the "hash" key identifying the type of hash).
  • Most custom hashers are no longer provided by RestAuth and were moved to django-hashers-passlib. With this project, RestAuth (or any Django application) can now hash many new hashes, see passlib's documentation for a full list.

-- Mati (talk) 16:41, 16 February 2014 (CET)

RestAuth 0.6.3 and php-restauth 0.6.2 released

Today RestAuth 0.6.3 was released. Changes include:

  • A security problem that made service authentication not work when SECURE_CACHE = True was fixed.
  • rename action for restauth-service, restauth-user and restauth-service
  • set-service for restauth-group
  • Full support for Python 3.2+
  • RestAuth now requires Python 2.6.5 and Django 1.4.2.
  • Many other minor improvements

php-restauth 0.6.2 was also released containing only one change: The ContentHandler class was renamed to RestAuthContentHandler to avoid nameclashes (most specifically, MediaWiki features a class of that name).

-- Mati (talk) 17:06, 31 May 2013 (CEST)

RestAuth 0.6.2 released

RestAuth, the RestAuth server reference implementation, was just released in version 0.6.2, which is primarily a bugfix-release for 0.6.1. Like with RestAuthCommon, 0.6.1 was released but never announced here, so here are the most important changes for both versions:

  • RestAuth now requires Django 1.4 and is tested with Django 1.5.
  • The source-code is Python3 compatible, but on dependency - South - is not yet compatible with Python3.
  • A pluggable backend-system allows RestAuth to store user- or group-data in different systems.
    • RestAuth ships with a Redis backend to store user preferences.
    • A backend storing all data in LDAP is just waiting for an implementation.
  • RestAuth now uses the Django password hashing API.
    • The HASH_ALGORITHM and HASH_FUNCTIONS settings are now deprecated, use the standard PASSWORD_HASHERS setting instead
    • RestAuth now supports all hashing algorithms shipping with Django (i.e. PBKDF2).
    • RestAuth now supports PHPass (Drupal7, WordPress, phpBB3, ...) hashes
    • The new SERVICE_PASSWORD_HASHER setting configures the hashing algorithm for services (significant speed-boost!).
  • Much stricter validation of input-data using assertions. As a side-effect, all input validation can be disabled with an optimizing Python interpreter.
  • The new SECURE_CACHE setting configures if RestAuth should store some data in the cache. By default, this is an in-memory Cache but might be memcached etc. if configured using the CACHES setting.
  • As a result of the changes in RestAuthCommon, RestAuth now also supports decoding/encoding data in YAML, Pickle and XML. WWW-Forms (as used by Webbrowsers) are now also fully supported.

A detailed overview is available in the ChangeLog. Documentation on all changed/updated settings can be found here.

-- Mati (talk) 22:34, 22 April 2013 (CEST)

RestAuthCommon 0.6.2 released

[RestAuthCommon] 0.6.2 was just released. Version 0.6.1 was released on PIP and via Debian packages on April 1, 2013, but was never announced here. There are many improvements since 0.6.0, most importantly 4 new content handlers (XML, YAML, Pickle, Pickle3), a working form content handler and Python3 support.

Here is a detailed list of changes since 0.6.0:

  • Fully support Python3
  • Content handlers now use standard python CamelCase, so
    • RestAuthCommon.handlers.content_handler is now RestAuthCommon.handlers.ContentHandler
    • RestAuthCommon.handlers.json is now RestAuthCommon.handlers.JSONContentHandler
    • RestAuthCommon.handlers.xml is now RestAuthCommon.handlers.XMLContentHandler
    • RestAuthCommon.handlers.form is now RestAuthCommon.handlers.FormContentHandler
    • old classnames remain available for now.
  • The XMLContentHandler is now actually implemented.
  • FormContentHandler is now fully tested and supports unicode, but no nested dictionaries.
  • Three new ContentHandlers:
    • YAMLContentHandler
    • PickleContentHandler
    • Pickle3ContentHandler
  • All content handlers consistently accept and return the documented types.
  • The file now includes a test-suite and a "coverage" target.
  • Dependencies are now automatically installed when using pip.

-- Mati (talk) 11:59, 21 April 2013 (CEST)

3rd RestAuth Hackathon

The 3rd RestAuth Hackathon will start on Sat, October 24, 2012. The Start will be 11 a.m. at Fachschaft Informatik. If you want to get into developing for RestAuth, this definitely is the event to be at. :-)

-- Mati (talk) 20:46, 15 November 2012 (CET)


php-restauth 0.6.0 released

Today a new version of php-restauth was released. The new version brings two major new features:

  • The library now uses pure libcurl, eliminating the need for another dependency
  • As the version number suggests, this version brings support for RestAuth 0.6, most notably setting multiple properties at once.

For a detailed ChangeLog, see the full ChangeLog in the git repository.

To get php-restauth 0.6.0, either use our, the download directory, our PEAR repository or our APT repositories.

-- Mati (talk) 00:00, 2 November 2012 (CET)

Doodle: 3rd RestAuth Hackathon - This time for real!

Ok, our last attempt for a RestAuth Hackathon failed, because most of us are students and the beginning of the semester is a bad time for hackathons. So here's a new doodle:

Please register until Tue, Nov. 6 2012 (which happens to be my birthday ;-)).

-- Mati (talk) 00:00, 2 November 2012 (CET)

Doodle: 3rd RestAuth Hackathon

I just set up a Doodle for the next RestAuth Hackathon: - The poll will close on Friday (2012-09-28).

Location will (most likely) be once again the Fachschaft Informatik.

-- Mati 20:01, 25 September 2012 (CEST)

RestAuth 0.6 released

RestAuth 0.6 has been released. This is a new protocol version, backwards compatible with old versions. It brings a few enhancements:

  • Support for HTTP status code 401
  • Support for setting multiple HTTP properties in a single HTTP call
  • A few new predefined property names.

The full list of changes can be seen here.

In parallel to this announcement, version 0.6.0 of RestAuthCommon (ChangeLog), RestAuth (ChangeLog) and RestAuthClient (ChangeLog) have been released. Each release also brings other enhacements.

-- Mati 09:42, 15 September 2012 (CEST)

RestAuth 0.5.3 released

I am happy to announce that I just released version 0.5.3 of RestAuth, the reference server implementation of the RestAuth protocol. The new version brings many changes. Some of the most important are:

  • Services are now only allowed to perform actions for which they are explicitly configured for. The goal of this feature is to improve security, for example, not every system is able to delete all users from now on. Available permissions are documented in the restauth-service manpage.
  • The system for hashing passwords has been rewritten, which gives you the ability to write your own hashing functions. The HASH_FUNCTIONS setting is the main new configuration variable. See custom hashes for documentation on how to build your own hash functions.
    • Two new hash functions are added in this release: apr1 adds support for md5 hashes generated by the Apache webserver, crypt adds support generated by the crypt(3) routine.
  • The system for validating usernames has been rewritten in a similar fashion. The VALIDATORS setting replaces the old, less flexible SKIP_VALIDATORS setting. Much like with password hashes, it is now possible to implement your own validators.
  • From now on, Django South is used for handling schema migrations. This will allow us to easily update the schema in the future (some of them will bring significant speed improvements).
  • As usual, lots of documentation was added.

A much more detailed changelog is available in the git-repository. And finally, some git-statistics: 77 files where changed, 7619 insertions, 4254 deletions.

Get RestAuth 0.5.3

The release tarball can be found at [1], the documentation also features update instructions. Distribution packages will become available in the next few days.

-- Mati 22:29, 11 August 2012 (CEST)

Perl library in the works!

I have started working on a Perl library for RestAuth. Basic user operations (create, get all, verify/set password and remove) work and a test suite is starting to materialize. There is little documentation yet, but you can find the source code on

-- Mati 15:52, 17 May 2012 (CEST)

Results from the 2nd RestAuth hackathon

There are numerous results from the 2nd RestAuth hackathon. The most significant are:

  • The OpenStreetBrowser will soon be able to use RestAuth as authentication backend. OSB so far did not support 3rd-party authentication backends, so it was extended in a way that it does.
  • The development of a C library was started.
  • The development of an Erlang library was started.
  • The RestAuth server now supports permissions on a per-service basis. This is a security improvement because leaked credentials do potentially less damage.

-- Mati 11:50, 30 April 2012 (CEST)

2nd RestAuth Hackathon

This site is a lot more active then this newspage suggests. In any case, the second RestAuth Hackathon is on April 28th. It starts at 11:00, the location is the Fachschaft Informatik, its location can be found here. In the past days we have severely pimped the Wish-list, so show up and work on any problem to be found there.

We will see to it that food and drinks are available!

-- Mati 16:42, 26 April 2012 (CEST)

RestAuth website is set up...

Currently, our new, shiny domain is being set up.

Mati 13:51, 24 July 2011 (CEST)