Download the PHP package zozlak/auth without Composer
On this page you can find all versions of the php package zozlak/auth. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Package auth
Short Description Very simple yet flexible authentication framework
License MIT
Homepage https://github.com/zozlak/auth
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package auth
Auth
A simple yet flexible library for authenticating against different providers.
Currently supported authorization providers:
- HTTP basic
- HTTP digest
- user login and data fetched from HTTP headers (e.g. when set by Shibboleth)
- Google access_token
- fixed data (e.g. a fallback guest user)
Currently supported users database backends:
- PDO
Usage
Simple example trying to authenticate with Google, then with HTTP basic and finally using a fixed
zzz user as a fallback.
Combining many authentication methods
Chaining many authentication methods is easy until it's only checking credentials provided by a client in his request.
The problem starts when request contains no (valid) credentials and we want to explicitely ask user to include them. The problem is in most cases we can advertise only one auth method at once. This is because different auth methods use conflicting advertisment mechanism, e.g.
- all OAuth2 (Google, etc.) and SAML (Shibboleth) methods use a
Locationheader to redirect user to a login page and we can't return many redirects to different locations in one response - presence of an HTTP Basic or HTTP Digest auth header in a response forces all GUI clients to prompt user for login and password and skip the rest of a response
Control over advertising auth methods is provided in the following way:
- You can assign each method in the chain one of three advertisment levels:
AuthMethod::ADVERTISE_NONEauth method is never advertisedAuthMethod::ADVERTISE_ONCEauth method is advertised only if a request contained no credentials for this method (and if a request contained wrong credentials for this method, the method is not advertised again)AuthMethod::ADVERTISE_ALWAYSauth method is always advertised
- When you call the
AutController::advertise()method a first auth method in the chain which fulfills its advertisment conditions is advertised.
You assigne the advertisment level when adding it to the auth chain using the second parameter
of the AutController::addMethod(AuthMethodInterface $method, int $advertise) method.
By default it's AuthMethod::ADVERTISE_NONE
Remember Guest, GoogleToken and TrustedHeaders don't support advertisment.
HTTP Digest method
HTTP Digest is difficult to combine with any other auth method. Unlike other methods the HTTP Digest has to be advertised to the client before his request so he can prepare valid credentials. And once it is advertised all GUI clients (most notably web browsers) will keep asking user for a login and password until valid ones are provided making it impossible to use any other authentication method.
(Poor) workarounds for this problem are:
- Putting HTTP Digest at the end of the auth chain allowing any other auth method to be checked first.
- Setting up HTTP Digest provider's advertise setting to
ADVERTISE_ONCE. In such a case it will be advertised only when a client doesn't provide HTTP Digest credentials in his request and if credentials are provided (no matter if they are good or wrong) the HTTP Digest method won't be advertised again. It allows to resolve auth providers staying after the HTTP Digest in the auth chain at the cost of giving user only one chance to input a correct login and password.
