Identifiers will identify an user or service based on the information
that was extracted from the request by the authenticators. Identifiers
can take options in the loadIdentifier
method. A holistic example of
using the Password Identifier looks like:
$service->loadIdentifier('Authentication.Password', [
'fields' => [
'username' => 'email',
'password' => 'passwd',
],
'resolver' => [
'className' => 'Authentication.Orm',
'userModel' => 'Users',
'finder' => 'active', // default: 'all'
],
'passwordHasher' => [
'className' => 'Authentication.Fallback',
'hashers' => [
'Authentication.Default',
[
'className' => 'Authentication.Legacy',
'hashType' => 'md5',
],
],
],
]);
The password identifier checks the passed credentials against a datasource.
Configuration options:
fields: The fields for the lookup. Default is
['username' => 'username', 'password' => 'password']
. You can
also set the username
to an array. For e.g. using
['username' => ['username', 'email'], 'password' => 'password']
will allow you to match value of either username or email columns.
resolver: The identity resolver. Default is
Authentication.Orm
which uses CakePHP ORM.
passwordHasher: Password hasher. Default is
DefaultPasswordHasher::class
.
Checks the passed token against a datasource.
Configuration options:
tokenField: The field in the database to check against. Default
is token
.
dataField: The field in the passed data from the authenticator.
Default is token
.
resolver: The identity resolver. Default is
Authentication.Orm
which uses CakePHP ORM.
hashAlgorithm: The algorithm used to hash the incoming token
with before compairing it to the tokenField
. Recommended value is
sha256
. Default is null
.
Checks the passed JWT token against a datasource.
Configuration options:
tokenField: The field in the database to check against. Default
is id
.
dataField: The payload key to get user identifier from. Default
is sub
.
resolver: The identity resolver. Default is
Authentication.Orm
which uses CakePHP ORM.
Checks the passed credentials against a LDAP server. This identifier requires the PHP LDAP extension.
Configuration options:
fields: The fields for the lookup. Default is
['username' => 'username', 'password' => 'password']
.
host: The FQDN of your LDAP server.
port: The port of your LDAP server. Defaults to 389
.
bindDN: The Distinguished Name of the user to authenticate. Must be a callable. Anonymous binds are not supported.
ldap: The extension adapter. Defaults to
\Authentication\Identifier\Ldap\ExtensionAdapter
. You can pass a
custom object/classname here if it implements the
AdapterInterface
.
tls
: Boolean. If true
, tries to start TLS on the connection.
Also LDAP config options such as
LDAP_OPT_PROTOCOL_VERSION
or LDAP_OPT_NETWORK_TIMEOUT
. See
php.net for more valid options.
Allows you to use a callback for identification. This is useful for simple identifiers or quick prototyping.
Configuration options:
callback: Default is null
and will cause an exception. You’re
required to pass a valid callback to this option to use the
authenticator.
Callback identifiers can either return null|ArrayAccess
for simple results,
or an Authentication\Authenticator\Result
if you want to forward error
messages:
// A simple callback identifier
$authenticationService->loadIdentifier('Authentication.Callback', [
'callback' => function($data) {
// do identifier logic
// Return an array of the identified user or null for failure.
if ($result) {
return $result;
}
return null;
},
]);
// Using a result object to return error messages.
$authenticationService->loadIdentifier('Authentication.Callback', [
'callback' => function($data) {
// do identifier logic
if ($result) {
return new Result($result, Result::SUCCESS);
}
return new Result(
null,
Result::FAILURE_OTHER,
['message' => 'Removed user.']
);
},
]);
Identity resolvers provide adapters for different datasources. They allow you to control which source identities are searched in. They are separate from the identifiers so that they can be swapped out independently from the identifier method (form, jwt, basic auth).
Identity resolver for the CakePHP ORM.
Configuration options:
userModel: The user model identities are located in. Default is
Users
.
finder: The finder to use with the model. Default is all
.
You can read more about model finders here.
In order to use ORM resolver you must require cakephp/orm
in your
composer.json
file (if you are not already using the full CakePHP framework).
Any ORM or datasource can be adapted to work with authentication by
creating a resolver. Resolvers must implement
Authentication\Identifier\Resolver\ResolverInterface
and should
reside under App\Identifier\Resolver
namespace.
Resolver can be configured using resolver
config option:
$service->loadIdentifier('Authentication.Password', [
'resolver' => [
// can be a full class name: \Some\Other\Custom\Resolver::class
'className' => 'MyResolver',
// Pass additional options to the resolver constructor.
'option' => 'value',
],
]);
Or injected using a setter:
$resolver = new \App\Identifier\Resolver\CustomResolver();
$identifier = $service->loadIdentifier('Authentication.Password');
$identifier->setResolver($resolver);