Identifiers will identify an user or service based on the information that was extracted from the request by the authenticators. Identifiers can take options in the loadIdentifier method. A holistic example of using the Password Identifier looks like:
$service->loadIdentifier('Authentication.Password', [
'fields' => [
'username' => 'email',
'password' => 'passwd',
],
'resolver' => [
'className' => 'Authentiation.Orm',
'finder' => 'active'
],
'passwordHasher' => [
'className' => 'Authentication.Fallback',
'hashers' => [
['Authentication.Default'],
[
'className' => 'Authentication.Legacy',
'hashType' => 'md5'
],
]
]
]);The password identifier checks the passed credentials against a datasource.
Configuration options:
- fields: The fields for the lookup. Default is
['username' => 'username', 'password' => 'password']. You can also set theusernameto an array. For e.g. using['username' => ['username', 'email'], 'password' => 'password']will allow you to match value of either username or email columns. - resolver: The identity resolver. Default is
Authentication.Ormwhich uses CakePHP ORM. - passwordHasher: Password hasher. Default is
DefaultPasswordHasher::class.
Checks the passed token against a datasource.
Configuration options:
- tokenField: The field in the database to check against. Default is
token. - dataField: The field in the passed data from the authenticator. Default is
token. - resolver: The identity resolver. Default is
Authentication.Ormwhich uses CakePHP ORM.
Checks the passed JWT token against a datasource.
- tokenField: The field in the database to check against. Default is
id. - dataField: The payload key to get user identifier from. Default is
sub. - resolver: The identity resolver. Default is
Authentication.Ormwhich uses CakePHP ORM.
Checks the passed credentials against a LDAP server. This identifier requires the PHP LDAP extension.
- fields: The fields for the lookup. Default is
['username' => 'username', 'password' => 'password']. - host: The FQDN of your LDAP server.
- port: The port of your LDAP server. Defaults to
389. - bindDN: The Distinguished Name of the user to authenticate. Must be a callable. Anonymous binds are not supported.
- ldap: The extension adapter. Defaults to
\Authentication\Identifier\Ldap\ExtensionAdapter. You can pass a custom object/classname here if it implements theAdapterInterface. - options: Additional LDAP options, like
LDAP_OPT_PROTOCOL_VERSIONorLDAP_OPT_NETWORK_TIMEOUT. See php.net for more valid options.
Allows you to use a callback for identification. This is useful for simple identifiers or quick prototyping.
Configuration options:
- callback: Default is
nulland will cause an exception. You're required to pass a valid callback to this option to use the authenticator.
Identity resolvers provide adapters for different datasources. They allow you to control which source identities are searched in. They are separate from the identifiers so that they can be swapped out independently from the identifier method (form, jwt, basic auth).
Identity resolver for the CakePHP ORM.
Configuration options:
- userModel: The user model identities are located in. Default is
Users. - finder: The finder to use with the model. Default is
all.
In order to use ORM resolver you must require cakephp/orm in your composer.json file.
Any ORM or datasource can be adapted to work with authentication by creating
a resolver. Resolvers must implement
Authentication\Identifier\Resolver\ResolverInterface and should reside under
App\Identifier\Resolver namespace.
Resolver can be configured using resolver config option:
$service->loadIdentifier('Authentication.Password', [
'resolver' => [
// can be a full class name: \Some\Other\Custom\Resolver::class
'className' => 'MyResolver',
// Pass additional options to the resolver constructor.
'option' => 'value'
]
]);Or injected using a setter:
$resolver = new \App\Identifier\Resolver\CustomResolver();
$identifier = $service->loadIdentifier('Authentication.Password');
$identifier->setResolver($resolver);