RFC - Add AuthService class.
Closed this issue · 2 comments
The guts of the authentication process should be moved from middleware to a service class. The middleware should simply use service class to get identity and set to Request attribute. I think the service class instance should also be set as a Request class attribute to allow controllers to perform operations like logout.
OK. How do we deal with checking against multiple authenticators? We will return a result object that holds the result and status. But what do we return if we checked against multiple - if we want to keep that at all. Or do we want to implement the object as iterator so we can do something like:
while (!$auth->authenticate()) { /*...*/ };
This also brings up the question if want want to run over all configured authenticators or stop as soon as the first one matched.
Do we really want to have Authentication and Authorization in the same plugin? I think they're both different things and could go into different plugins.
Setting a request attribute is planed, I'm just waiting for @markstory to finish his work on the request class. https://github.com/php-fig/http-message/blob/master/src/ServerRequestInterface.php attributes are only defined as getters in the interface here. So I guess we need a setter for the auth object.
The ServerRequestInterface
interface implementation is complete now on 3.next. You should be able to use withAttribute()
to set the currently logged in user.
Do we really want to have Authentication and Authorization in the same plugin? I think they're both different things and could go into different plugins.
I'm not sure you would want to provider a gamut of authorization implementations, but providing the hooks to plug one in makes sense.