Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.From Work with David Strauss in Barcelona
Basics
- Start from 7.x-2.x or 7.x-3.x? used: 2.x
- Which JWT library (compatible with d.o PHP)? used: "lcobucci/jwt": "~3.0"
- Create 4.x series
- Add the Composer-based dependency to the project
- Jointly support old hashes and JWT for a transition?
important notes:
- d.o on PHP 5.3, moving to 5.4. then 5.5. soon
- groups.drupal.org (d6) being retired at ~3 month D6 EOL
Progression
- Convert existing bespoke serialization and hash to JWT
- Convert more elements to rely on pure JWT
- Split token into a primary session and an extention. Both are required for a valid session.
- Have only the master issue the primary session
- Add JWT to D6 module (optional - depends on g.d.o and qa.d.o retirement)
- Port module to D8 with only JWT support
Test scenarios
1) Valid Drupal session cookie, no bakery cookie, admin account: not logged out
2) Valid Drupal session cookie, no bakery cookie, not admin account: logged out
3) valid bakery cookie, no drupal session: drupal session created, bakery cookie updated
4) valid bakery cookie, valid drupal session, bakery cookie updated
5) invalid bakery cookie (multiple variants): logged out
6) Slave site, attempt at account/profile management, non-admin: redirect to master site
Cross-domain auto-login:
1. Check whether the user is locally logged in.
2. If not, load JS from d.o.
3. The JS checks if the user is logged into d.o.
4. If logged into d.o, do an OpenID Connect/OAuth 2.0 bounce.
Comments
Comment #2
drummDrupal.org now uses composer_manager, using that to get the JWT library is now preferred.