How to use Pluggable Auth Service

I want to set up "Pluggable Auth Service" in my site, but I don't know how.
in my site, I create a folder for a user, this folder has the login and password properties. I would like my user list to be fed by the login / pass contained in these files.
Can you help me get started with Pluggable Auth Service.
Sorry for my English, it's not very good
Thanks for your help

In Zope, everything releated with authentication and authorization is handled by a so called "user folder" with the typical id acl_users.

Zope already comes with a top level acl_users which is not a PAS (= Pluggable Auth Service) user folder. This complicates matter a bit. Likely the easiest way is to create a new folder and put an PAS user folder therein. Once this is completely set up, a script (or interactive session) can be used to delete the top level acl_users and move the PAS acl_users to the top level.

Once a PAS user folder is created, it can be populated with PAS plugins. To become used, a plugin must have been created and activated (for one or several interfaces; those interfaces correspond to authentication/authorization subtask - such as extraction, authentication, roles, ...). One of the available plugins is called "User Source" (or similarly spelled): its task is to store users (more precisely, "login name" and associated password). In this plugin, you create your users. It is usually activated for the authentication interface. You will need further plugins, e.g. to associated roles, extract authentication information from the request and to challenge for authentication information. The latter two tasks are typically fulfilled by the "cookie auth helper" plugin. Look at the names of the available plugins; tentatively create plugins which seem to be promizing and look which interfaces they support in principle (the available interfaces are documented in plugins/interfaces). If a plugin has a promising interface, explore its tabs to learn how to provide data for it. Come back should you have concrete questions.

1 Like

Thank you for these first explanations
I will move on and come back if I have specific questions
See you soon

I am also interested in this topic because I may have to implement a TOTP plugin using PyOTP with a per user secret.

if youre interested in writing plugins and in need of example code, look for the pas.plugins.* namespace either at PyPI or at


I'm getting back to this subject. I can't get started with PAS. I need to retrieve the user list from a MySQL table. I installed PAS, and the list of default plugins. Only I don't know which plugin to use to list users from my database.
Concretely, here is my need:

  • retrieve the list of users from my SQL database
  • create an authentication form (as CookieCrumbler did in its time)
  • Authenticate the user in Zope
    In return I can write a tutorial on the subject.
    Can you guide me to start. Thank you in advance for your help.

Writing a PAS plugin is not that complicated. You can look at existing PAS plugins and learn from them (anyone with a good example for starters?)

The pain part with PAS plugins is the debugging process, in particular when your plugin has to implement a lot of interfaces. Debugging drives you nuts when a particular HTTP request calls a PAS plugin and its functionality a myriade of times (due to all page resources).

Some tips:

  • instead of loading a related page through the browser, try to limit calls to one request (e.g. using wget or curl)
  • add enough logger calls to each function for introspecting incoming and outgoing data
  • pdb is your friend

Did you consider using pas.plugins.sqlalchemy GitHub - collective/pas.plugins.sqlalchemy: SQLAlchemy PAS plugin (Authentication) for Zope2/ Plone ?

Plone Foundation Code of Conduct