I have a need for authentication as a layer in front of Galaxy which is more specialized than the available options -- specifically 3-legged OAuth against site of my choice.

After looking into writing this in PHP and having the webserver (nginx) set remote_user, I decided to nix that approach for a couple of reasons -- one of which is that I don't have PHP experience.

After a few discussions with other devs, I've decided that there are two easy options available to me:

- Write a WSGI app which does authentication, and proxies authenticated requests to Galaxy with remote_user set. Since that's a WSGI app doing proxying, obvious code smell there

- Write a WSGI middleware that wraps the existing Galaxy WSGI app, and passes authenticated requests directly to the Galaxy app

That second solution seems much better, but I'm now faced with the question of "How do I do it?"

Looking over the sample config, I see these lines:

# The factory for the WSGI application.  This should not be changed.
paste.app_factory = galaxy.web.buildapp:app_factory

I'm thinking that I could change that to my middleware, which will turn to `galaxy.web.buildapp` when the time comes.

One problem I'm seeing is that my middleware and galaxy both have to run in the same virtualenv, so there's potential for dependency conflicts.

The lib I want to use for this does rely on PyYAML and a few other things which Galaxy also needs, so that possibility is very real.

Other than that hurdle, are there any gotchas I should be aware of with this approach?

Are there similarly simple alternatives to this which I am not seeing?

Ultimately, if I have to write an app that does proxying, I'd prefer that to the wide variety of highly effortful solutions I have envisioned.
Those include, but are not limited to, a PAM which does the OAuth and doing Basic Authentication against that, just to give a flavor.

Thanks very much for your help,

-Stephen