Authentication in Drupal 8
Juampy Novillo Requena
DrupalCamp Spain 2014
About me, @juampy72
Drupal 7 and 8 module
maintainer and core developer
Developer at Lullabot
Let's start by defining
Authentication and Authorization
Authentication
Show me your ID, sucker!
Authorization
403
None shall pass!!
As the Symfony book states...
http://symfony.com/doc/current/book/security.html
Authentication in Drupal 8
Drupal 8 implements a Modular Authentication
System.
Different Authentication Providers may ext...
Auth Providers in core
Cookie
Returns authenticated or anonymous user
depending on the presence of a cookie.
Basic Auth
Ch...
Basic Auth example
php > print base64_encode('test:test');
Cookie auth example
1. Obtain a cookie for a Drupal user. 2. Add the cookie id to the request.
https://drupal.org/node/207...
Auth Providers in contrib: OAuth
Supports OAuth 1.0a protocol (Twitter, Flickr).
No support for OAuth2 (Facebook) yet :-(
...
Oauth setup
OAuth example request
REQUEST
RESPONSE
https://drupal.org/project/guzzle_oauth
¿How does it work?
Client
Request
/latest-news
Authorization: Basic pvcGVuIHNlc2ZQ==
Server
Drupal bootstraps
Authentication Manager
$request...
Client
Request
/latest-news
Authorization: Basic pvcGVuIHNlc2ZQ==
Server
Drupal bootstraps
Authentication Manager
$request...
Example: Basic Authentication class
Quick check to
see if we can
authenticate
If the above is
TRUE,
proceed and
attempt to...
Basic authentication service
This makes the class discoverable. Higher priority means that it will
try to authenticate bef...
Loading authentication providers
Examples
http://hillsidek9academy.com/wp-content/uploads/2013/12/dog-training.jpg
Authenticate an existing route
friendly_support module
Makes it impossible to send support requests by ading
HTTP authenti...
1. Extend RouteSubscriberBase
$provider is an identifier for a set of routes.
Normally is the module name.
Here is where w...
2. Make the class a service
● Just add event_subscriber tag.
● RouteSubscriberBase takes care of the rest.
Change record
3. Install module and open /contact
We can do it from the route definition.
Authenticate a custom route
Allowed methods: Basic Authentication
This is part of ...
Authenticate a REST resource
Recommended read: REST: exposing data as RESTful web services
REST UI
REST UI offers site builders an
interface to set up a REST API,
including output formats and
authentication.
Authenticate a view
Authenticate a view trough code
Authenticate a view through the UI
https://drupal.org/node/2228141
Views authentication example
How to help?
● Add flood support to OAuth
● Implement more Auth
Providers:
○ OAuth2
○ Digest Authentication
○ IP based aut...
Thanks! Questions?
about.me/juampy
@juampy72
Upcoming SlideShare
Loading in …5
×

Authentication in Drupal 8 - DrupalCamp Spain 2014

2,431 views

Published on

http://2014.drupalcamp.es/authentication-drupal-8

Published in: Internet, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,431
On SlideShare
0
From Embeds
0
Number of Embeds
54
Actions
Shares
0
Downloads
11
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Authentication in Drupal 8 - DrupalCamp Spain 2014

  1. 1. Authentication in Drupal 8 Juampy Novillo Requena DrupalCamp Spain 2014
  2. 2. About me, @juampy72 Drupal 7 and 8 module maintainer and core developer Developer at Lullabot
  3. 3. Let's start by defining Authentication and Authorization
  4. 4. Authentication Show me your ID, sucker!
  5. 5. Authorization 403 None shall pass!!
  6. 6. As the Symfony book states... http://symfony.com/doc/current/book/security.html
  7. 7. Authentication in Drupal 8 Drupal 8 implements a Modular Authentication System. Different Authentication Providers may extract a Drupal $user out of a given $request.
  8. 8. Auth Providers in core Cookie Returns authenticated or anonymous user depending on the presence of a cookie. Basic Auth Checks if user & password are in the request headers and finds a matching user in the DB.
  9. 9. Basic Auth example php > print base64_encode('test:test');
  10. 10. Cookie auth example 1. Obtain a cookie for a Drupal user. 2. Add the cookie id to the request. https://drupal.org/node/2076725
  11. 11. Auth Providers in contrib: OAuth Supports OAuth 1.0a protocol (Twitter, Flickr). No support for OAuth2 (Facebook) yet :-( Will be implemented at OAuth2 Server
  12. 12. Oauth setup
  13. 13. OAuth example request REQUEST RESPONSE https://drupal.org/project/guzzle_oauth
  14. 14. ¿How does it work?
  15. 15. Client Request /latest-news Authorization: Basic pvcGVuIHNlc2ZQ== Server Drupal bootstraps Authentication Manager $request - Basic auth.apply() - Cookie.apply() $request Basic Auth.authenticate() $user Access Controllers (EntityaccessController, MenuAccessController...) Build response OK 200 - DrupalCamp Spain is a total success! - David Hernández scares the shit out of a bunch of kids with his Dark Vader's hoarse throat - Álvaro Hurtado disappointed the audience by not doing a striptease TRUE
  16. 16. Client Request /latest-news Authorization: Basic pvcGVuIHNlc2ZQ== Server Drupal bootstraps Authentication Manager $request - Basic auth.apply() - Cookie.apply() $request Basic Auth.authenticate() $user Access Controllers (EntityaccessController, MenuAccessController...) Build response OK 200 - DrupalCamp Spain is a total success! - David Hernández scares the shit out of a bunch of kids with his Dark Vader's hoarse throat - Álvaro Hurtado disappointed the audience by not doing a striptease TRUE AUTHENTICATION AUTHORIZATION
  17. 17. Example: Basic Authentication class Quick check to see if we can authenticate If the above is TRUE, proceed and attempt to extract a $user.
  18. 18. Basic authentication service This makes the class discoverable. Higher priority means that it will try to authenticate before others The Authentication Manager looks for services tagged as authentication_provider
  19. 19. Loading authentication providers
  20. 20. Examples http://hillsidek9academy.com/wp-content/uploads/2013/12/dog-training.jpg
  21. 21. Authenticate an existing route friendly_support module Makes it impossible to send support requests by ading HTTP authentication to the Contact form ;D
  22. 22. 1. Extend RouteSubscriberBase $provider is an identifier for a set of routes. Normally is the module name. Here is where we add authorization rules
  23. 23. 2. Make the class a service ● Just add event_subscriber tag. ● RouteSubscriberBase takes care of the rest. Change record
  24. 24. 3. Install module and open /contact
  25. 25. We can do it from the route definition. Authenticate a custom route Allowed methods: Basic Authentication This is part of Authorization: only authenticated users can access.
  26. 26. Authenticate a REST resource Recommended read: REST: exposing data as RESTful web services
  27. 27. REST UI REST UI offers site builders an interface to set up a REST API, including output formats and authentication.
  28. 28. Authenticate a view
  29. 29. Authenticate a view trough code
  30. 30. Authenticate a view through the UI https://drupal.org/node/2228141
  31. 31. Views authentication example
  32. 32. How to help? ● Add flood support to OAuth ● Implement more Auth Providers: ○ OAuth2 ○ Digest Authentication ○ IP based authentication
  33. 33. Thanks! Questions? about.me/juampy @juampy72

×