Advanced Authentication and Authorization
Modules & Components
Authentication is provided via the Zend\Authentication component, authorization via the
Zend\Permissions components, and MVC bindings are provided via the
zf-mvc-auth module. This module's purpose is
to deliver a generalized solution that adds events, services, and models into the Zend Framework 2 MVC
lifecycle that can be utilized to simplify both authentication and authorization.
Events
In order to achieve integration to the ZF2 MVC lifecycle for authentication, zf-mvc-auth wires in
4 listeners that then propagate their own events. Each of these listeners are registered within the
event MvcEvent::EVENT_ROUTE at different priorities. This table describes the new event
names:
zf-mvc-auth event |
MVC event in which triggered | MVC event priority |
|---|---|---|
EVENT_AUTHENTICATION |
EVENT_ROUTE |
500 |
EVENT_AUTHENTICATION_POST |
EVENT_ROUTE |
499 |
(The first column are event constants from ZF\MvcAuth\MvcAuthEvent; the second are event constants
from Zend\Mvc\MvcEvent.)
As you can tell from their priorities, authentication happens before routing. There are effectively two listeners that deal with authentication related workflows:
-
ZF\MvcAuth\Authentication\DefaultAuthenticationListeneris registered to listen to the eventZF\MvcAuth\MvcAuthEvent::EVENT_AUTHENTICATION. This listener is generally responsible for (a) determining the kind of authentication that needs to take place, whether it is HTTP Basic, HTTP Digest, or OAuth2; and (b) authenticating the provided identity. It then assigns the discovered identity (either aZF\MvcAuth\AuthenticatedIdentityon success, orGuestIdentityif no credentials were provided) to theMvcAuthEvent. -
ZF\MvcAuth\Authentication\DefaultPostAuthenticationListeneris registered to listen to the eventZF\MvcAuth\MvcAuthEvent::EVENT_AUTHENTICATION_POST. This listener is responsible for determining if some identity was presented by the client, and if it was successfully authenticated. If it was not, this listener will inject a401 Unauthorizedstatus code to the current HTTP response object and return it, ending the request.
zf-mvc-auth event |
MVC event in which triggered | MVC event priority |
|---|---|---|
EVENT_AUTHORIZATION |
EVENT_ROUTE |
-600 |
EVENT_AUTHORIZATION_POST |
EVENT_ROUTE |
-601 |
(The first column are event constants from ZF\MvcAuth\MvcAuthEvent; the second are event constants
from Zend\Mvc\MvcEvent.)
As you can tell from their EVENT_ROUTE priorities, authorization happens after routing. There
are effectively three listeners that deal with authorization related workflows:
-
ZF\MvcAuth\Authorization\DefaultResourceResolverListeneris registered with the eventZF\MvcAuth\MvcAuthEvent::EVENT_AUTHORIZATIONand given a priority of1000(executes early). This listener is responsible for determining the matched controller service name from the matched route, which will later be used for checking against the access control lists. -
ZF\MvcAuth\Authorization\DefaultAuthorizationListeneris registered with the eventZF\MvcAuth\MvcAuthEvent::EVENT_AUTHORIZATIONwith the default priority. This listener is responsible for taking information from theZF\MvcAuth\MvcAuthEventand determining if the identity discovered during authentication is authorized to perform the current request against the discovered controller service. -
ZF\MvcAuth\Authorization\DefaultAuthorizationPostListeneris registered with theZF\MvcAuth\MvcAuthEvent::EVENT_AUTHORIZATION_POSTevent, at default priority. This listener is responsible for checking if the current request is unauthorized, and if so, it will assign a403 Unauthorizedstatus to the HTTP response object, and return it.
Services & Models
The following table describes services and models that are accessible through the Service Manager:
| Service | Class/Interface returned by service |
|---|---|
| api-identity | ZF\MvcAuth\Identity\IdentityInterface (either a GuestIdentity or an AuthenticatedIdentity) |
| authentication | Zend\Authentication\AuthenticationService |
| authorization | ZF\MvcAuth\Authorization\AuthorizationInterface (likely a ZF\MvcAuth\Authorization\AclAuthorization instance, a variant of Zend\Permissions\Acl\Acl) |