--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/pyramid_cubicweb/authplugin.py	Sun Jul 06 18:06:10 2014 +0200
@@ -0,0 +1,50 @@
+"""
+Special authentifiers.
+
+:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses
+
+"""
+__docformat__ = "restructuredtext en"
+
+from cubicweb import AuthenticationError
+from cubicweb.server.sources import native
+
+
+class Token(object):
+    pass
+
+EXT_TOKEN = Token()
+
+
+class DirectAuthentifier(native.BaseAuthentifier):
+    """return CWUser eid for the given login.
+
+    Before doing so, it makes sure the authentication request comes from
+    xxx by checking the special '__externalauth_directauth' kwarg.
+
+    """
+
+    auth_rql = (
+        'Any U WHERE U is CWUser, '
+        'U eid %(eid)s'
+    )
+
+    def authenticate(self, session, login, **kwargs):
+        """Return the CWUser eid for the given login.
+
+        Make sure the request comes from inside pyramid by
+        checking the special '__pyramid_directauth' kwarg.
+
+        """
+        session.debug('authentication by %s', self.__class__.__name__)
+        directauth = kwargs.get('__pyramid_directauth', None)
+        try:
+            if directauth == EXT_TOKEN:
+                rset = session.execute(self.auth_rql, {'eid': int(login)})
+                if rset:
+                    session.debug('Successfully identified %s', login)
+                    return rset[0][0]
+        except Exception, exc:
+            session.debug('authentication failure (%s)', exc)
+
+        raise AuthenticationError('user is not registered')