Class AuthenticationService

Authentication Service

Namespace: Authentication

Property Summary

$_authenticators protected

?AuthenticatorCollection

Authenticator collection
$_config protected

array<string, mixed>

Runtime config
$_configInitialized protected

bool

Whether the config property has already been configured with defaults
$_defaultConfig protected

array<string, mixed>

Default configuration
$_result protected

?ResultInterface

Result of the last authenticate() call.
$_successfulAuthenticator protected

?AuthenticatorInterface

Authenticator that successfully authenticated the identity.

Method Summary

__construct() public

Constructor
_configDelete() protected

Deletes a single config key.
_configRead() protected

Reads a config key.
_configWrite() protected

Writes a config key.
authenticate() public

Authenticate the request against the configured authentication adapters.
authenticators() public

Access the authenticator collection
buildIdentity() public

Builds the identity object
clearIdentity() public

Clears the identity from authenticators that store them and the request
configShallow() public

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.
deleteConfig() public

Deletes a config key.
getAuthenticationProvider() public

Gets the successful authenticator instance if one was successful after calling authenticate.
getConfig() public

Returns the config.
getConfigOrFail() public

Returns the config for this specific key.
getIdentificationProvider() public

Convenient method to gets the successful identifier instance.
getIdentity() public

Gets an identity object
getIdentityAttribute() public

Return the name of the identity attribute.
getImpersonationProvider() protected

Get impersonation provider
getLoginRedirect() public

Return the URL that an authenticated user came from or null.
getResult() public

Gets the result of the last authenticate() call.
getUnauthenticatedRedirectUrl() public

Return the URL to redirect unauthenticated users to.
impersonate() public

Impersonate a user
isImpersonating() public

Returns true if impersonation is being done
loadAuthenticator() public

Loads an authenticator.
persistIdentity() public

Sets identity data and persists it in the authenticators that support it.
setConfig() public

Sets the config.
stopImpersonating() public

Stops impersonation
validateRedirect() protected

Validates a redirect URL to prevent loops and malicious patterns

Method Detail

__construct() ¶ public

__construct(array<string, mixed> $config = [])

Constructor

Parameters

array<string, mixed> $config optional: Configuration options.

_configDelete() ¶ protected

_configDelete(string $key): void

Deletes a single config key.

Parameters

string $key: Key to delete.

Returns

void

Throws

Cake\Core\Exception\CakeException
if attempting to clobber existing config

_configRead() ¶ protected

_configRead(string|null $key): $key is null ? array : mixed

Reads a config key.

Parameters

string|null $key: Key to read.

Returns

$key is null ? array : mixed

_configWrite() ¶ protected

_configWrite(array<string, mixed>|string $key, mixed $value, string|bool $merge = false): void

Writes a config key.

Parameters

array<string, mixed>|string $key: Key to write to.
mixed $value: Value to write.
string|bool $merge optional: True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Returns

void

Throws

Cake\Core\Exception\CakeException
if attempting to clobber existing config

authenticate() ¶ public

authenticate(Psr\Http\Message\ServerRequestInterface $request): Authentication\Authenticator\ResultInterface

Authenticate the request against the configured authentication adapters.

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request.

Returns

Authentication\Authenticator\ResultInterface

The result object. If none of the adapters was a success the last failed result is returned.

Throws

RuntimeException
Throws a runtime exception when no authenticators are loaded.

authenticators() ¶ public

authenticators(): Authentication\Authenticator\AuthenticatorCollection

Access the authenticator collection

Returns

Authentication\Authenticator\AuthenticatorCollection

buildIdentity() ¶ public

buildIdentity(ArrayAccess<string, mixed>|array<string, mixed> $identityData): Authentication\IdentityInterface

Builds the identity object

Parameters

ArrayAccess<string, mixed>|array<string, mixed> $identityData: Identity data

Returns

Authentication\IdentityInterface

clearIdentity() ¶ public

clearIdentity(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Message\ResponseInterface $response): array

Clears the identity from authenticators that store them and the request

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request.
Psr\Http\Message\ResponseInterface $response: The response.

Returns

array

Return an array containing the request and response objects.

configShallow() ¶ public

configShallow(array<string, mixed>|string $key, mixed|null $value = null): $this

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);

Parameters

array<string, mixed>|string $key: The key to set, or a complete array of configs.
mixed|null $value optional: The value to set.

Returns

$this

deleteConfig() ¶ public

deleteConfig(string $key): $this

Deletes a config key.

Parameters

string $key: Key to delete. It can be a dot separated string to delete nested keys.

Returns

$this

getAuthenticationProvider() ¶ public

getAuthenticationProvider(): Authentication\Authenticator\AuthenticatorInterface|null

Gets the successful authenticator instance if one was successful after calling authenticate.

Returns

Authentication\Authenticator\AuthenticatorInterface|null

getConfig() ¶ public

getConfig(string|null $key = null, mixed $default = null): $key is null ? array : mixed

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');

Parameters

string|null $key optional: The key to get or null for the whole config.
mixed $default optional: The return value when the key does not exist.

Returns

$key is null ? array : mixed

Configuration data at the named key or null if the key does not exist.

getConfigOrFail() ¶ public

getConfigOrFail(string $key): mixed

Returns the config for this specific key.

The config value for this key must exist, it can never be null.

Parameters

string $key: The key to get.

Returns

mixed

Configuration data at the named key

Throws

InvalidArgumentException

getIdentificationProvider() ¶ public

getIdentificationProvider(): Authentication\Identifier\IdentifierInterface|null

Convenient method to gets the successful identifier instance.

Returns

Authentication\Identifier\IdentifierInterface|null

getIdentity() ¶ public

getIdentity(): Authentication\IdentityInterface|null

Gets an identity object

Returns

Authentication\IdentityInterface|null

getIdentityAttribute() ¶ public

getIdentityAttribute(): string

Return the name of the identity attribute.

Returns

string

getImpersonationProvider() ¶ protected

getImpersonationProvider(): Authentication\Authenticator\ImpersonationInterface

Get impersonation provider

Returns

Authentication\Authenticator\ImpersonationInterface

Throws

InvalidArgumentException

getLoginRedirect() ¶ public

getLoginRedirect(Psr\Http\Message\ServerRequestInterface $request): string|null

Return the URL that an authenticated user came from or null.

This reads from the URL parameter defined in the queryParam option. Will return null if this parameter doesn't exist or is invalid.

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request

Returns

string|null

getResult() ¶ public

getResult(): Authentication\Authenticator\ResultInterface|null

Gets the result of the last authenticate() call.

Returns

Authentication\Authenticator\ResultInterface|null

Authentication result interface

getUnauthenticatedRedirectUrl() ¶ public

getUnauthenticatedRedirectUrl(Psr\Http\Message\ServerRequestInterface $request): string|null

Return the URL to redirect unauthenticated users to.

If the unauthenticatedRedirect option is not set, this method will return null.

If the queryParam option is set a query parameter will be appended with the denied URL path.

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request

Returns

string|null

impersonate() ¶ public

impersonate(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Message\ResponseInterface $response, ArrayAccess<string, mixed> $impersonator, ArrayAccess<string, mixed> $impersonated): array{request: \Psr\Http\Message\ServerRequestInterface, response: \Psr\Http\Message\ResponseInterface}

Impersonate a user

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request
Psr\Http\Message\ResponseInterface $response: The response
ArrayAccess<string, mixed> $impersonator: User who impersonates
ArrayAccess<string, mixed> $impersonated: User impersonated

Returns

array{request: \Psr\Http\Message\ServerRequestInterface, response: \Psr\Http\Message\ResponseInterface}

isImpersonating() ¶ public

isImpersonating(Psr\Http\Message\ServerRequestInterface $request): bool

Returns true if impersonation is being done

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request

Returns

bool

loadAuthenticator() ¶ public

loadAuthenticator(string $name, array<string, mixed> $config = []): Authentication\Authenticator\AuthenticatorInterface

Loads an authenticator.

Parameters

string $name: Name or class name.
array<string, mixed> $config optional: Authenticator configuration.

Returns

Authentication\Authenticator\AuthenticatorInterface

persistIdentity() ¶ public

persistIdentity(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Message\ResponseInterface $response, ArrayAccess<string, mixed>|array<string, mixed> $identity): array{request: \Psr\Http\Message\ServerRequestInterface, response: \Psr\Http\Message\ResponseInterface}

Sets identity data and persists it in the authenticators that support it.

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request.
Psr\Http\Message\ResponseInterface $response: The response.
ArrayAccess<string, mixed>|array<string, mixed> $identity: Identity data.

Returns

array{request: \Psr\Http\Message\ServerRequestInterface, response: \Psr\Http\Message\ResponseInterface}

setConfig() ¶ public

setConfig(array<string, mixed>|string $key, mixed|null $value = null, bool $merge = true): $this

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);

Parameters

array<string, mixed>|string $key: The key to set, or a complete array of configs.
mixed|null $value optional: The value to set.
bool $merge optional: Whether to recursively merge or overwrite existing config, defaults to true.

Returns

$this

Throws

Cake\Core\Exception\CakeException
When trying to set a key that is invalid.

stopImpersonating() ¶ public

stopImpersonating(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Message\ResponseInterface $response): array{request: \Psr\Http\Message\ServerRequestInterface, response: \Psr\Http\Message\ResponseInterface}

Stops impersonation

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request
Psr\Http\Message\ResponseInterface $response: The response

Returns

array{request: \Psr\Http\Message\ServerRequestInterface, response: \Psr\Http\Message\ResponseInterface}

validateRedirect() ¶ protected

validateRedirect(string $redirect): string|null

Validates a redirect URL to prevent loops and malicious patterns

This method can be overridden in subclasses to implement custom validation logic.

Parameters

string $redirect: The redirect URL to validate

Returns

string|null

The validated URL or null if invalid

Property Detail

`$_authenticators` ¶ protected

Authenticator collection

Type

?AuthenticatorCollection

`$_config` ¶ protected

Runtime config

Type

array<string, mixed>

`$_configInitialized` ¶ protected

Whether the config property has already been configured with defaults

Type

bool

`$_defaultConfig` ¶ protected

Default configuration

authenticators - An array of authentication objects to use for authenticating users. You can configure multiple adapters and they will be checked sequentially when users are identified. Each authenticator config can specify its own identifier.
identityClass - The class name of identity or a callable identity builder.
identityAttribute - The request attribute used to store the identity. Default to identity.
unauthenticatedRedirect - The URL to redirect unauthenticated errors to. See AuthenticationComponent::allowUnauthenticated()
queryParam - The name of the query string parameter containing the previously blocked URL in case of unauthenticated redirect, or null to disable appending the denied URL.
redirectValidation - Configuration for validating redirect URLs to prevent loops. See below.

Redirect Validation Configuration:

'redirectValidation' => [
    'enabled' => true,              // Enable validation (default: false for BC)
    'maxDepth' => 1,                // Max nested "redirect=" parameters (default: 1)
    'maxEncodingLevels' => 1,       // Max percent-encoding levels (default: 1)
    'maxLength' => 2000,            // Max URL length in characters (default: 2000)
]

Example:

$service = new AuthenticationService([
   'authenticators' => [
       'Authentication.Form' => [
           'identifier' => 'Authentication.Password',
       ],
   ],
]);

Type

array<string, mixed>

`$_result` ¶ protected

Result of the last authenticate() call.

Type

?ResultInterface

`$_successfulAuthenticator` ¶ protected

Authenticator that successfully authenticated the identity.

Type

?AuthenticatorInterface

Namespaces

Class AuthenticationService

Property Summary

Method Summary

__construct() public

_configDelete() protected

_configRead() protected

_configWrite() protected

authenticate() public

authenticators() public

buildIdentity() public

clearIdentity() public

configShallow() public

deleteConfig() public

getAuthenticationProvider() public

getConfig() public

getConfigOrFail() public

getIdentificationProvider() public

getIdentity() public

getIdentityAttribute() public

getImpersonationProvider() protected

getLoginRedirect() public

getResult() public

getUnauthenticatedRedirectUrl() public

impersonate() public

isImpersonating() public

loadAuthenticator() public

persistIdentity() public

setConfig() public

stopImpersonating() public

validateRedirect() protected

Method Detail

__construct() ¶ public

Parameters

_configDelete() ¶ protected

Parameters

Returns

Throws

_configRead() ¶ protected

Parameters

Returns

_configWrite() ¶ protected

Parameters

Returns

Throws

authenticate() ¶ public

Parameters

Returns

Throws

authenticators() ¶ public

Returns

buildIdentity() ¶ public

Parameters

Returns

clearIdentity() ¶ public

Parameters

Returns

configShallow() ¶ public

Parameters

Returns

deleteConfig() ¶ public

Parameters

Returns

getAuthenticationProvider() ¶ public

Returns

getConfig() ¶ public

Usage

Parameters

Returns

getConfigOrFail() ¶ public

Parameters

Returns

Throws

getIdentificationProvider() ¶ public

Returns

getIdentity() ¶ public

Returns

getIdentityAttribute() ¶ public

Returns

getImpersonationProvider() ¶ protected

`$_authenticators` ¶ protected

`$_config` ¶ protected

`$_configInitialized` ¶ protected

`$_defaultConfig` ¶ protected

`$_result` ¶ protected

`$_successfulAuthenticator` ¶ protected