Pylons Opinions
Pylons Opinion: Don’t Use Authkit
There are three common systems of user authentication and authorization in Pylons nowadays, Authkit, repoze.who/what, and what is affectionately termed “roll-yer-own”. Many people, upon reading James Gardner’s The Definitive Guide to Pylons, conclude that Authkit is the preferred method among Pylons users. It may be worth mentioning at this point that Authkit is also written by James Gardner.
The actual fact of the matter is that Authkit is, at best, deprecated. My own opinion is that, if you have a good grasp of how auth ought to work, you can implement a roll-yer-own system in less time than it takes to integrate Authkit, and it will be more suited to your needs.
Let us consider the situation: You require a user model in any event — something to keep track of which user is which. (And may I take a moment to recommend the use of bcrypt for secure password storage?) You require some mechanism of keeping track of which user is logged in; the Pylons session will do nicely for this. You require a login/logout controller, which technically is not needed for the most basic Authkit setup, but which you will want to have if you want your login/logout pages to look like the rest of your site. And finally, you require some function, possibly a decorator, which lets you mark certain actions as requiring a logged-in user or a particular kind of logged-in user. These are pretty simple to write; you may wish to consult the Advanced Homegrown Auth article at the Pylons Cookbook wiki if you run into difficulty.