On Fri, Feb 27, 2015 at 2:38 PM, Tyler Romeo tylerromeo@gmail.com wrote:
and give the users' groups from the authorization provider.
Note we have no mention of this in the authentication RFC, since we're being careful to separate *authentication* (authn) from *authorization* (authz). We have vague plans to rework authz like we're doing authn here, but we haven't done more than consider that a possibility for a future project.
Under the current RFC, an extension that does both authn and authz would presumably have its AuthenticationProvider store information in the session that would be used later when authz is done (e.g. in the UserGetRights hook).