This repository has been archived by the owner on Jan 21, 2020. It is now read-only.
Implement per-API authentication #59
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added a "map" key to the "authentication" subkey to allow mapping modules to specific authentication types.
Currently, authentication happens at 500 (499 for post-), which is before routing happens. Since versioning listens at -40, and authentication should happen earlier, moved to -25 (and -26 for post-).
The authentication map is a map of API/module => authentication type. This allows per-API authentication. However, in order to keep this backwards compatible with pre-1.1, the following scenarios needed to pass: - if - no authentication schemes are defined - do not perform authentication - if - a single authentication scheme is defined - and no map is present - use the defined authentication - if - multiple authentication schemes are defined - and no map is present - do not perform authentication - if - one or more authentication schemes are defined - and a map is present - and the current API/module does not have an entry in the map - do not perform authentication - if - one or more authentication schemes are defined - and a map is present - and the current API/module has an entry in the map - that does not match one of the authentication schemes - do not perform authentication - if - one or more authentication schemes are defined - and a map is present - and the current API/module has an entry in the map - that matches one of the authentication schemes - use the defined authentication This will keep current applications working, while simultaneously allowing them to start adopting the new mapping functionality. The admin API will soon be updated to write in this format, and will adapt an existing application to setup an authentication map for each defined API and version.
We allow "basic", "digest", or "oauth2" as map values.
Closed
weierophinney
changed the title
- [X] Implement custom authentication awareness
- [X] Create authentication adapter interface
- [X] Modify DefaultAuthenticationListener logic to delegate to adapters
- [X] `getTypeFromRequest()` to delegate to adapters for type, if none in authorization header
- [X] Call `preAuth()` on all adapters if no type found
- [X] Retrieve adapter by type and use it to authenticate
- [ ] Create functionality for determining configured types
- [X] Pull from configured adapters (delegator factories can be used to add more adapters, so pulling the service will allow querying adapters)
- [ ] Pull from a special configuration key
- allows proper deprecation of the old "setHttpAdapter" and "setOAuth2Server" methods, as users will now seamlessly be utilizing only adapters.
- Added `DefaultAuthenticationListener::addAuthenticationTypes`, with related tests.
New key, zf-mvc-auth.authentication.types, which should be an array of authentication type strings. The factory now picks up this value and passes it to the listener.
weierophinney
changed the title
|
@ezimuel This patch is now ready for review; includes tests and documentation! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch provides the mechanics necessary to implement per-API authentication.
First, I've changed the priority at which each of the authentication and authentication.post events occur. Prior to these changes, they happened at 500 and 499, respectively; they now happen at -25 and -26 (i.e., after routing, but prior to other Apigility-related listeners).
Second, you can now create a "map" key in the "authentication" configuration. The value of this should be a set of API/module + version / authentication type pairs. As an example:
In the above, v2 of the "Status" module/API would use the configured OAuth2 authentication, v1 of the "Ping" module/API would use the configured HTTP Basic authentication, and v3 of the "Images" module/API woulduse the configured HTTP Digest authentication.
In order to retain backwards compatibility, the following rules apply:
All existing tests continue to pass, and tests were added for each of the above scenarios.
Allowing user-configured authentication types
One place this falls down is if a user has a custom authentication type, as currently that means they will not be able to specify their custom authentication type for an API/module. While we likely will not want to allow configuring custom adapters via the UI, having the UI aware of the type does make sense, as it allows mapping APIs to those types.
The best way to make this happen is to refactor the
DefaultAuthenticationListenerto be aware of authentication adapters. This approach would do the following:The proposed authentication adapter interface is:
The current logic specific to HTTP and OAuth2 authentication would be moved into discrete adapter implementations, and the
DefaultAuthenticationListenerFactorywould be updated to selectively create these adapters and attach them to the listener.For those wanting to use custom
authenticationevent listeners, we will provide a configuration key for specifying type names that these listeners support; however, the logic will be such that if no adapter can satisfy the type, aGuestIdentitywill be returned; it will be up to the custom listener to perform the appropriate checks to see if it should be used, and to return an identity following the authentication check.The
DefaultAuthenticationListenerwill be updated to add the following methods:Tasklist
getTypeFromRequest()to delegate to adapters for type, if none in authorization headerpreAuth()on all adapters if no type found