authentication in drupal 8 - drupalcamp spain 2014

33
Authentication in Drupal 8 Juampy Novillo Requena DrupalCamp Spain 2014

Upload: juan-pablo-novillo-requena

Post on 23-Aug-2014

328 views

Category:

Internet


5 download

DESCRIPTION

http://2014.drupalcamp.es/authentication-drupal-8

TRANSCRIPT

Page 1: Authentication in Drupal 8 - DrupalCamp Spain 2014

Authentication in Drupal 8

Juampy Novillo Requena

DrupalCamp Spain 2014

Page 2: Authentication in Drupal 8 - DrupalCamp Spain 2014

About me, @juampy72Drupal 7 and 8 module maintainer and core developer

Developer at Lullabot

Page 3: Authentication in Drupal 8 - DrupalCamp Spain 2014

Let's start by defining Authentication and Authorization

Page 4: Authentication in Drupal 8 - DrupalCamp Spain 2014

Authentication

Show me your ID, sucker!

Page 5: Authentication in Drupal 8 - DrupalCamp Spain 2014

Authorization

403None shall pass!!

Page 6: Authentication in Drupal 8 - DrupalCamp Spain 2014

As the Symfony book states...

http://symfony.com/doc/current/book/security.html

Page 7: Authentication in Drupal 8 - DrupalCamp Spain 2014

Authentication in Drupal 8

Drupal 8 implements a Modular Authentication System.

Different Authentication Providers may extract a Drupal $user out of a given $request.

Page 8: Authentication in Drupal 8 - DrupalCamp Spain 2014

Auth Providers in core

CookieReturns authenticated or anonymous user depending on the presence of a cookie.

Basic AuthChecks if user & password are in the request headers and finds a matching user in the DB.

Page 9: Authentication in Drupal 8 - DrupalCamp Spain 2014

Basic Auth example

php > print base64_encode('test:test');

Page 10: Authentication in Drupal 8 - DrupalCamp Spain 2014

Cookie auth example1. Obtain a cookie for a Drupal user. 2. Add the cookie id to the request.

https://drupal.org/node/2076725

Page 11: Authentication in Drupal 8 - DrupalCamp Spain 2014

Auth Providers in contrib: OAuth

Supports OAuth 1.0a protocol (Twitter, Flickr).

No support for OAuth2 (Facebook) yet :-(

Will be implemented at OAuth2 Server

Page 12: Authentication in Drupal 8 - DrupalCamp Spain 2014

Oauth setup

Page 13: Authentication in Drupal 8 - DrupalCamp Spain 2014

OAuth example requestREQUEST

RESPONSE

https://drupal.org/project/guzzle_oauth

Page 14: Authentication in Drupal 8 - DrupalCamp Spain 2014

¿How does it work?

Page 15: Authentication in Drupal 8 - DrupalCamp Spain 2014

ClientRequest

/latest-newsAuthorization: Basic pvcGVuIHNlc2ZQ==

ServerDrupal bootstraps

Authentication Manager

$request

- Basic auth.apply() - Cookie.apply()

$request

Basic Auth.authenticate()

$user

Access Controllers (EntityaccessController, MenuAccessController...)

Build response

OK 200

- DrupalCamp Spain is a total success!- David Hernández scares the shit out of a bunch of kids with his Dark Vader's hoarse throat- Álvaro Hurtado disappointed the audience by not doing a striptease

TRUE

Page 16: Authentication in Drupal 8 - DrupalCamp Spain 2014

ClientRequest

/latest-newsAuthorization: Basic pvcGVuIHNlc2ZQ==

ServerDrupal bootstraps

Authentication Manager

$request

- Basic auth.apply() - Cookie.apply()

$request

Basic Auth.authenticate()

$user

Access Controllers (EntityaccessController, MenuAccessController...)

Build response

OK 200

- DrupalCamp Spain is a total success!- David Hernández scares the shit out of a bunch of kids with his Dark Vader's hoarse throat- Álvaro Hurtado disappointed the audience by not doing a striptease

TRUE

AUTHENTICATION

AUTHORIZATION

Page 17: Authentication in Drupal 8 - DrupalCamp Spain 2014

Example: Basic Authentication classQuick check tosee if we can authenticate

If the above isTRUE,

proceed andattempt to extract

a $user.

Page 18: Authentication in Drupal 8 - DrupalCamp Spain 2014

Basic authentication service

This makes the class discoverable. Higher priority means that it will try to authenticate before others

The Authentication Manager looks for services tagged as authentication_provider

Page 19: Authentication in Drupal 8 - DrupalCamp Spain 2014

Loading authentication providers

Page 20: Authentication in Drupal 8 - DrupalCamp Spain 2014

Examples

http://hillsidek9academy.com/wp-content/uploads/2013/12/dog-training.jpg

Page 21: Authentication in Drupal 8 - DrupalCamp Spain 2014

Authenticate an existing route

friendly_support module

Makes it impossible to send support requests by ading HTTP authentication to the Contact form ;D

Page 22: Authentication in Drupal 8 - DrupalCamp Spain 2014

1. Extend RouteSubscriberBase$provider is an identifier for a set of routes.

Normally is the module name.

Here is where weadd

authorizationrules

Page 23: Authentication in Drupal 8 - DrupalCamp Spain 2014

2. Make the class a service

● Just add event_subscriber tag.● RouteSubscriberBase takes care of the rest.

Change record

Page 24: Authentication in Drupal 8 - DrupalCamp Spain 2014

3. Install module and open /contact

Page 25: Authentication in Drupal 8 - DrupalCamp Spain 2014

We can do it from the route definition.

Authenticate a custom route

Allowed methods: Basic Authentication

This is part of Authorization: only authenticated users can access.

Page 26: Authentication in Drupal 8 - DrupalCamp Spain 2014

Authenticate a REST resource

Recommended read: REST: exposing data as RESTful web services

Page 27: Authentication in Drupal 8 - DrupalCamp Spain 2014

REST UI

REST UI offers site builders an interface to set up a REST API,including output formats andauthentication.

Page 28: Authentication in Drupal 8 - DrupalCamp Spain 2014

Authenticate a view

Page 29: Authentication in Drupal 8 - DrupalCamp Spain 2014

Authenticate a view trough code

Page 30: Authentication in Drupal 8 - DrupalCamp Spain 2014

Authenticate a view through the UI

https://drupal.org/node/2228141

Page 31: Authentication in Drupal 8 - DrupalCamp Spain 2014

Views authentication example

Page 32: Authentication in Drupal 8 - DrupalCamp Spain 2014

How to help?

● Add flood support to OAuth● Implement more Auth

Providers:○ OAuth2○ Digest Authentication○ IP based authentication