Post on 08-May-2015
description
Drupal 8 AuthenticationDrupalcamp London 2014
Juan Pablo Novillo Requena (juampy)
About me, @juampy72Maintainer of OAuth, Twitter, Devel, Basic Auth...
Developer at Lullabot
Let's start by defining authentication and authorization
Authentication
Authentication
Who the hell are you?
Authorization
403
Dude, what the hell do you think you are doing here?
In detail: Authentication in Drupal 8
Drupal 8 incorporates a Modular Authentication System.
Different Authentication Providers can authenticate a user out of a given request.
Core's built-in auth providers
Cookie - default one. Returns authenticated or anonymous user depending on the presence of a cookie.
Basic Auth - checks if user name & password are in the request headers and finds a user.
How does it work?
ClientRequest
/latest-newsAuthorization: Basic pvcGVuIHNlc2ZQ==
ServerDrupal bootstraps
Authentication Manager
$request
- Basic auth.apply() - Cookie.apply()
$request
Basic Auth.authenticate()
$user
Access Controllers (EntityaccessController, MenuAccessController...)
Buildresponse
OK 200
- Drupalcamp London is a total success- Inebriated Drupal geeks swimming in Trafalgar Square were arrested... TRUE
ClientRequest
/latest-newsAuthorization: Basic pvcGVuIHNlc2ZQ==
ServerDrupal bootstraps
Authentication Manager
$request
- Basic auth.apply() - Cookie.apply()
$request
Basic Auth.authenticate()
$user
Access Controllers (EntityaccessController, MenuAccessController...)
Buildresponse
OK 200
- Drupalcamp London is a total success- Inebriated Drupal geeks swimming in Trafalgar Square were arrested... TRUE
Example: Basic Authentication classFirst step, check
if we canauthenticate
Next: attemptto authenticate a
user
Basic authentication service
This tag makes the service to be loaded automatically
Cookie auth provider has a priority of 0, so this provider will kick in earlier.
Loading authentication providers
Load services taggedas 'authentication'
The priority flag is used to sort in which order they will be called
Authenticate an existing Routehttps://github.com/juampy72/drupal_friendly_support
Module friendly_support
Makes it impossible for clients to make a complaint by adding HTTP authentication to /contact
Next: steps on how it works.
1. Define our RouteSubscriberA provider may be a module name. A
collection, the routes it defines.
Here is where wealter the route.
2. Define our class as a service
● Add the event_subscriber tag.● RouteSubscriberBase takes care of the rest.
3. Enable it and open /contact
Authenticate a custom RouteAllowed methods: Basic Authentication
We just need an authenticated user. No extra permissions are needed.
Authenticate a REST resource
Recommended read: REST: exposing data as RESTful web services
REST UI module lets you set authentication through the admin interface.
Authenticate a view
Authenticate a view I have no idea
How to help?
● Add flood support to basic_auth.● Circular reference error on a REST request● Remove basic_auth from core● OAuth2?● Any other authentication providers?
○ Digest Authentication○ IP based authentication
Thanks! Questions?
about.me/juampy
@juampy72