The authentication manager.
This simpleton class is responsible for managing the user's
authentication session with SimpleID.
Key concepts
The authentication system involves the following key concepts:
-
Authentication level. This is the highest level of user interaction
used to authenticate the user in the current session. The higher
the authentication level, the more user interaction is required.
-
Authentication scheme. A SimpleID module that implements a way
for a user to authenticate by checking credentials presented against
some data store.
-
Authentication mode. The type of user interaction required for
authentication.
Process
The authentication process works as follows:
- The PHP session is initialised
- The session variables are checked for authentication information.
If the information does not exist, the user is not logged in.
- Invokes each authentication scheme module to see if the user
can be logged in using credentials already stored in the browser
(e.g. cookie, SSL certificate). Otherwise the user is not
logged in.
- The user may attempt to log in using the routes presented by
the AuthModule .
| Methods |
public
|
__construct()
|
#
|
public
|
initSession(): void
Initialises the PHP session system.
Initialises the PHP session system.
|
#
|
public
|
initUser(bool $allow_non_interactive = true): void
Initialises the user system. Loads data for the currently logged-in user,
if any.
Initialises the user system. Loads data for the currently logged-in user,
if any.
If there is no logged in user and $allow_non_interactive is set to true, the system
queries the authentication scheme modules to determine whether a user can
be logged in with non-interactive authentication
Parameters
| $allow_non_interactive |
allows non-interactive authentication
|
|
#
|
public
|
isLoggedIn(): bool
Returns whether a user has logged in
Returns whether a user has logged in
Returns
true if a user has logged in
|
#
|
public
|
getUser(): User|null
Returns the current logged in user
Returns the current logged in user
Returns
the current logged in user
|
#
|
public
|
getAuthLevel(): int
Returns the authentication level achieved for this session.
Returns the authentication level achieved for this session.
Returns
|
#
|
public
|
getAuthTime(): int
Returns the time the user was authenticated (including via
automatic authentication).
Returns the time the user was authenticated (including via
automatic authentication).
Returns
|
#
|
public
|
getACR(): string
Returns the authentication context class references in relation
to the current authentication session.
Returns the authentication context class references in relation
to the current authentication session.
Returns
|
#
|
public
|
login(AuthResultInterface $result, FormState $form_state = null): void
Sets the user specified by the parameter as the active user.
Sets the user specified by the parameter as the active user.
This is done by:
- Associating the user and authentication result with the current
browser session maintained by PHP
- Storing the session ID against the user in the
login cache type
Parameters
| $result |
the authentication result
|
| $form_state |
the state of the login form
|
|
#
|
public
|
onLoginEvent(LoginEvent $event): void
Saves the login event in the user's activity log.
Saves the login event in the user's activity log.
|
#
|
public
|
logout(): void
Logs out the user by deleting the relevant session information.
Logs out the user by deleting the relevant session information.
|
#
|
public
|
assignUAID(bool $reset = false): string
Assigns and returns a unique ID for the user agent (UAID).
Assigns and returns a unique ID for the user agent (UAID).
A UAID uniquely identifies the user agent (e.g. browser) used to
make the HTTP request. The UAID is stored in a long-dated
cookie. Therefore, the UAID may be useful for security purposes.
This function will look for a cookie sent by the user agent with
the name returned by getCookieName() with a suffix
of uaid. If the cookie does not exist, it will generate a
UAID and return it to the user agent with a Set-Cookie
response header.
Parameters
| $reset |
true to reset the UAID regardless of whether
the cookie is present
|
Returns
|
#
|
public
|
assignUALoginState(bool $reset = false): string
Assigns and returns a unique login state for the current
authenticated session with user agent (UALS).
Assigns and returns a unique login state for the current
authenticated session with user agent (UALS).
A UALS uniquely identifies the current authenticated session with
the user agent (e.g. browser). It is reset with each successful
login and logout. The cookie associated with a UALS is only
valid for the current session.
This function will look for a cookie sent by the user agent with
the name returned by getCookieName() with a suffix
of uals. If the cookie does not exist, it will generate a
UALS and return it to the user agent with a Set-Cookie
response header.
Parameters
| $reset |
true to reset the UALS
|
Returns
|
#
|
public
|
getCookieName(string $suffix): string
Returns a relatively unique cookie name based on a specified suffix.
Returns a relatively unique cookie name based on a specified suffix.
Parameters
| $suffix |
the cookie name suffix
|
Returns
|
#
|
public
|
toString(): string
|
#
|
| Constants |
public
|
|
AUTH_LEVEL_SESSION = 0
|
#
|
public
|
|
AUTH_LEVEL_TOKEN = 1
Constant denoting a non-interactive authentication level providing
limited access to selected scopes. Examples include OAuth tokens
and app passwords.
Constant denoting a non-interactive authentication level providing
limited access to selected scopes. Examples include OAuth tokens
and app passwords.
|
#
|
public
|
|
AUTH_LEVEL_NON_INTERACTIVE = 2
Constant denoting a non-interactive authentication level providing
full access. Examples include certificate-based authentication
schemes and "remember me" cookies set after a successful authentication
at a higher level
Constant denoting a non-interactive authentication level providing
full access. Examples include certificate-based authentication
schemes and "remember me" cookies set after a successful authentication
at a higher level
|
#
|
public
|
|
AUTH_LEVEL_CREDENTIALS = 3
Constant denoting an interactive authentication level with one
credential successfully provided by the user or an external service.
Examples include password authentication and federated authentication.
Constant denoting an interactive authentication level with one
credential successfully provided by the user or an external service.
Examples include password authentication and federated authentication.
|
#
|
public
|
|
AUTH_LEVEL_REENTER_CREDENTIALS = 4
Constant denoting an interactive authentication level with one
credential successfully provided by the user in the same browser
session. This is typically required for sensitive ("sudo") operations.
Constant denoting an interactive authentication level with one
credential successfully provided by the user in the same browser
session. This is typically required for sensitive ("sudo") operations.
|
#
|
public
|
|
AUTH_LEVEL_VERIFIED = 5
Constant denoting an interactive authentication level with at least
one physical factor provided and verified. Examples include
two factor authentication (where one factor is a physical factor)
or passkey-based authentication
Constant denoting an interactive authentication level with at least
one physical factor provided and verified. Examples include
two factor authentication (where one factor is a physical factor)
or passkey-based authentication
|
#
|
public
|
|
MODE_IDENTIFY_USER = 0
Constant denoting an interactive prompt to enter a user identification.
Example of this include:
Constant denoting an interactive prompt to enter a user identification.
Example of this include:
- entering a user name or email
- selecting the network for federated login
- selecting an account from a list of previously saved account
|
#
|
public
|
|
MODE_CREDENTIALS = self::AUTH_LEVEL_CREDENTIALS
Constant denoting an interactive prompt to enter a credential.
Constant denoting an interactive prompt to enter a credential.
|
#
|
public
|
|
MODE_REENTER_CREDENTIALS = self::AUTH_LEVEL_REENTER_CREDENTIALS
Constant denoting an interactive prompt to reenter a credential.
This is typically required for sensitive ("sudo") operations.
Constant denoting an interactive prompt to reenter a credential.
This is typically required for sensitive ("sudo") operations.
|
#
|
public
|
|
MODE_VERIFY = self::AUTH_LEVEL_VERIFIED
Constant denoting an interactive prompt for an additional physical
factor
Constant denoting an interactive prompt for an additional physical
factor
|
#
|