— Team authentication

Geofront doesn’t force you to manage team members by yourself. Instead it hides how to manage team members, and offers Team, the layering interface to implement custom team data provider e.g. GitHubOrganization.

It is theologically possible to implement a straightforward RDBMS-backed team provider, but we rather recommend to adapt your existing team data instead e.g. GitHub organization, Google Apps organization, Bitbucket team.


Authentication exception which rise when the authentication process has trouble including network problems.


Backend interface for team membership authentication.

Authorization process consists of three steps (and therefore every backend subclass has to implement these three methods):

  1. request_authentication() makes the url to interact with the owner of the identity to authenticate. I.e. the url to login web page of the backend service.
  2. authenticate() finalize authentication of the identity, and then returns Identity.
  3. authorize() tests the given Identity belongs to the team. It might be a redundant step for several backends, but is a necessary step for some backends that distinguish identity authentication between team membership authorization. For example, Any Gmail users can authenticate they own their Gmail account, but only particular users can authenticate their account belongs to the configured Google Apps organization.
authenticate(auth_nonce: str, requested_redirect_url: str, wsgi_environ: → geofront.identity.Identity

Second step of authentication process, to create a verification token for the identity. The token is used by authorize() method, and the key store as well (if available).


an identity which contains a verification token

Return type:



when something goes wrong e.g. network errors, the user failed to verify their ownership

authorize(identity: geofront.identity.Identity) → bool

The last step of authentication process. Test whether the given identity belongs to the team.

Note that it can be called every time the owner communicates with Geofront server, out of authentication process.

Parameters:identity (Identity) – the identity to authorize
Returns:True only if the identity is a member of the team
Return type:bool
request_authentication(auth_nonce: str, redirect_url: str) → str

First step of authentication process, to prepare the “sign in” interaction with the owner. It typically returns a url to the login web page.

  • auth_nonce (str) – a random string to guarantee it’s a part of the same process to following authenticate() call which is the second step
  • redirect_url (str) – a url that owner’s browser has to redirect to after the “sign in” interaction finishes

a url to the web page to interact with the owner in their browser

Return type: