Authentication API overview

The Authentication API is new in Drupal 8.   

API features

Ordered by most to least frequently used APIs:

Authentication provider services

Implement \Drupal\Core\Authentication\AuthenticationProviderInterface and use the 'authentication_provider' service tag.

_auth option on routes

The default authentication manager (see below) enables developers to limit the set of allowed authentication mechanisms to the specified subset by specifying _auth in a route's options.
Example: _auth: ['basic_auth', 'cookie']

Note that this does not limit the authentication methods that will initially be applied to the request. Rather, it will deny requests for which successful authentication was performed using a method not listed.

Authentication manager

The authentication manager (\Drupal\Core\Authentication\AuthenticationManager) calls the different authentication provider services based on each service's priority.

The manager can be overridden for very advanced use cases; 99.9% of the time the default implementation should be sufficient.

Useful Interfaces

Drupal provides 2 additional Interfaces for advanced authentication use cases.

• \Drupal\Core\Authentication\AuthenticationProviderFilterInterface - This is helpful if you only want your Authentication provider to be used for certain routes and allows you to RouteMatch the request and check the route object for the options.

• \Drupal\Core\Authentication\AuthenticationProviderChallengeInterface - This allows you to generate a challenge when access is denied for unauthenticated users. This is used by the Basic Auth module.

See also

• Routing API
• RESTful Web Services API
• The original change notice that introduced this API: Modular authentication system
• Related contributed module: OAuth
• Related contributed module: Simple OAuth (OAuth 2.0 Bearer Token)
• Related contributed module: OAuth2 Server
• Related contributed module: IP
• Related contributed module: OAuth2 JWT SSO
• Related contributed module: Key auth