This authenticator will check the session if it contains user data or
credentials. When using any stateful authenticators like
below, be sure to load
Session authenticator first so that once
logged in user data is fetched from session itself on subsequent
trueto enable checking the session credentials against the identifiers. When
true, the configured Identifiers are used to identify the user using data stored in the session on each request. Default value is
usernamefield to the unique identifier in your user storage. Defaults to
username. This option is used when the
identifyoption is set to true.
Looks up the data in the request body, usually when a form submit happens via POST / PUT.
nulland all pages will be checked.
passwordto the specified POST data fields.
false. This option does not work well when preserving unauthenticated redirects in the query string.
If you use the array syntax for the URL, the URL will be generated by the CakePHP router. The result might differ from what you actually have in the request URI depending on your route handling. So consider this to be case sensitive!
The token authenticator can authenticate a request based on a token that comes along with the request in the headers or in the request parameters.
An example of getting a token from a header, or query string would be:
$service->loadAuthenticator('Authentication.Token', [ 'header' => 'Authorization', 'queryParam' => 'token', 'tokenPrefix' => 'Token' ]);
The above would read the
token GET parameter or the
as long as the token was preceded by
Token and a space.
The JWT authenticator gets the JWT token from the header or query param and either returns the payload directly or passes it to the identifiers to verify them against another datasource for example.
nullbut you’re required to pass a secret key if you’re not in the context of a CakePHP application that provides it through
If you want to identify the user based on the
sub (subject) of the
token you can use the JwtSubject identifier:
$service = new AuthenticationService(); $service->loadIdentifier('Authentication.JwtSubject'); $service->loadAuthenticator('Authentication.Jwt', [ 'returnPayload' => false ]);
$_SERVER['SERVER_NAME']override it as needed.
There are currently no plans to implement an OAuth authenticator. The main reason for this is that OAuth 2.0 is not an authentication protocol.
Read more about this topic here.
We will maybe add an OpenID Connect authenticator in the future.
There is only one event that is fired by authentication:
If you don’t know what events are and how to use them check the documentation.
Authentication.afterIdentify event is fired by the
AuthenticationComponent after an identity was successfully
The event contains the following data:
The subject of the event will be the current controller instance the AuthenticationComponent is attached to.
But the event is only fired if the authenticator that was used to identify the identity is not persistent and not stateless. The reason for this is that the event would be fired every time because the session authenticator or token for example would trigger it every time for every request.
From the included authenticators only the FormAuthenticator will cause the event to be fired. After that the session authenticator will provide the identity.
Some authenticators like
Cookie should be executed only
on certain pages like
/login page. This can be achieved using URL
By default a
DefaultUrlChecker is used, which uses string URLs for
comparison with support for regex check.
A custom URL checker can be implemented for example if a support for
framework specific URLs is needed. In this case the
For more details about URL Checkers see this documentation page.
After a user has been authenticated you may want to inspect or interact with the Authenticator that successfully authenticated the user:
// In a controller action $service = $this->request->getAttribute('authentication'); // Will be null on authentication failure, or an authenticator. $authenticator = $service->getAuthenticationProvider();
You can also get the identifier that identified the user as well:
// In a controller action $service = $this->request->getAttribute('authentication'); // Will be null on authentication failure, or an identifier. $identifier = $service->getIdentificationProvider();
HttpDigest with other authenticators, you should
remember that these authenticators will halt the request when authentication
credentials are missing or invalid. This is necessary as these authenticators
must send specific challenge headers in the response. If you want to combine
HttpDigest with other authenticators, you may want to
configure these authenticators as the last authenticators:
use Authentication\AuthenticationService; // Instantiate the service $service = new AuthenticationService(); // Load identifiers $service->loadIdentifier('Authentication.Password', [ 'fields' => [ 'username' => 'email', 'password' => 'password' ] ]); // Load the authenticators leaving Basic as the last one. $service->loadAuthenticator('Authentication.Session'); $service->loadAuthenticator('Authentication.Form'); $service->loadAuthenticator('Authentication.HttpBasic');