What I need is a lightweight authentication/ACL library or middleware which is preferably capable of openID (though this is not crucial), and would play nice with bottle framework (i.e, maybe not use exceptions as an internal flow-control mechanism). Any suggestions?
EDIT:
Any thoughts on barrel?
I suggest you look to repoze.who for authentication and repoze.what for authorization. Both of them are designed to be generic WSGI middleware and easily can work with any of WSGI frameworks.
Another option for authentication with bottle is to use the cork plugin. I've used it successfully, and it has several database (and even a non-database) backends.
