cakephp · dereuromark · Apr 30, 2025 · Apr 20, 2025 · Apr 20, 2025 · Apr 20, 2025
diff --git a/docs/en/authenticators.rst b/docs/en/authenticators.rst
@@ -139,8 +139,8 @@ Add the following to your ``Application`` class::
     {
         $service = new AuthenticationService();
         // ...
-        $service->loadIdentifier('Authentication.JwtSubject');
         $service->loadAuthenticator('Authentication.Jwt', [
+            'identifier' => 'Authentication.JwtSubject',
             'secretKey' => file_get_contents(CONFIG . '/jwt.key'),
             'algorithm' => 'RS256',
             'returnPayload' => false
@@ -180,7 +180,6 @@ Using a JWKS fetched from an external JWKS endpoint is supported as well::
     {
         $service = new AuthenticationService();
         // ...
-        $service->loadIdentifier('Authentication.JwtSubject');
 
         $jwksUrl = 'https://appleid.apple.com/auth/keys';
 
@@ -193,6 +192,7 @@ Using a JWKS fetched from an external JWKS endpoint is supported as well::
         });
 
         $service->loadAuthenticator('Authentication.Jwt', [
+            'identifier' => 'Authentication.JwtSubject',
             'jwks' => $jsonWebKeySet,
             'returnPayload' => false
         ]);
@@ -335,14 +335,18 @@ authentication cookie is **also destroyed**. An example configuration would be::
     // Put form authentication first so that users can re-login via
     // the login form if necessary.
     $service->loadAuthenticator('Authentication.Form', [
+        'identifier' => 'Authentication.Password',
         'fields' => $fields,
         'loginUrl' => '/users/login',
     ]);
     // Then use sessions if they are active.
-    $service->loadAuthenticator('Authentication.Session');
+    $service->loadAuthenticator('Authentication.Session', [
+        'identifier' => 'Authentication.Password',
+    ]);
 
     // If the user is on the login page, check for a cookie as well.
     $service->loadAuthenticator('Authentication.Cookie', [
+        'identifier' => 'Authentication.Password',
         'fields' => $fields,
         'loginUrl' => '/users/login',
     ]);
@@ -366,12 +370,15 @@ and similar SAML 1.1 implementations. An example configuration is::
 
     // Configure a token identifier that maps `USER_ID` to the
     // username column
-    $service->loadIdentifier('Authentication.Token', [
-        'tokenField' => 'username',
-        'dataField' => 'USER_NAME',
-    ]);
+    $identifier = [
+        'Authentication.Token', [
+            'tokenField' => 'username',
+            'dataField' => 'USER_NAME',
+        ],
+    ];
 
     $service->loadAuthenticator('Authentication.Environment', [
+        'identifier' => $identifier,
         'loginUrl' => '/sso',
         'fields' => [
             // Choose which environment variables exposed by your
@@ -477,19 +484,26 @@ authenticators must send specific challenge headers in the response::
     // Instantiate the service
     $service = new AuthenticationService();
 
-    // Load identifiers
-    $service->loadIdentifier('Authentication.Password', [
-        'fields' => [
-            'username' => 'email',
-            'password' => 'password'
-        ]
-    ]);
-    $service->loadIdentifier('Authentication.Token');
+    // Define identifiers
+    $passwordIdentifier = [
+        'Authentication.Password', [
+            'fields' => [
+                'username' => 'email',
+                'password' => 'password'
+            ]
+        ],
+    ];
 
     // Load the authenticators leaving Basic as the last one.
-    $service->loadAuthenticator('Authentication.Session');
-    $service->loadAuthenticator('Authentication.Form');
-    $service->loadAuthenticator('Authentication.HttpBasic');
+    $service->loadAuthenticator('Authentication.Session', [
+        'identifier' => $passwordIdentifier,
+    ]);
+    $service->loadAuthenticator('Authentication.Form', [
+        'identifier' => $passwordIdentifier,
+    ]);
+    $service->loadAuthenticator('Authentication.HttpBasic', [
+        'identifier' => 'Authentication.Token',
+    ]);
 
 If you want to combine ``HttpBasic`` or ``HttpDigest`` with other
 authenticators, be aware that these authenticators will abort the request and

diff --git a/docs/en/identifiers.rst b/docs/en/identifiers.rst
@@ -6,27 +6,29 @@ that was extracted from the request by the authenticators. Identifiers
 can take options in the ``loadIdentifier`` method. A holistic example of
 using the Password Identifier looks like::
 
-   $service->loadIdentifier('Authentication.Password', [
-       'fields' => [
-           'username' => 'email',
-           'password' => 'passwd',
-       ],
-       'resolver' => [
-           'className' => 'Authentication.Orm',
-           'userModel' => 'Users',
-           'finder' => 'active', // default: 'all'
-       ],
-       'passwordHasher' => [
-           'className' => 'Authentication.Fallback',
-           'hashers' => [
-               'Authentication.Default',
-               [
-                   'className' => 'Authentication.Legacy',
-                   'hashType' => 'md5',
-               ],
+    $identifier = [
+        'Authentication.Password', [
+            'fields' => [
+               'username' => 'email',
+               'password' => 'passwd',
            ],
-       ],
-   ]);
+           'resolver' => [
+               'className' => 'Authentication.Orm',
+               'userModel' => 'Users',
+               'finder' => 'active', // default: 'all'
+           ],
+           'passwordHasher' => [
+               'className' => 'Authentication.Fallback',
+               'hashers' => [
+                    'Authentication.Default',
+                    [
+                        'className' => 'Authentication.Legacy',
+                        'hashType' => 'md5',
+                    ],
+                ],
+            ],
+        ],
+    ];
 
 Password
 ========
@@ -60,7 +62,7 @@ Configuration options:
 -  **resolver**: The identity resolver. Default is
    ``Authentication.Orm`` which uses CakePHP ORM.
 -  **hashAlgorithm**: The algorithm used to hash the incoming token
-   with before compairing it to the ``tokenField``. Recommended value is
+   with before comparing it to the ``tokenField``. Recommended value is
    ``sha256``. Default is ``null``.
 
 JWT Subject
@@ -119,36 +121,39 @@ or an ``Authentication\Authenticator\Result`` if you want to forward error
 messages::
 
     // A simple callback identifier
-    $authenticationService->loadIdentifier('Authentication.Callback', [
-        'callback' => function($data) {
-            // do identifier logic
+    $identifier = [
+        'Authentication.Callback' => [
+            'callback' => function($data) {
+                // do identifier logic
 
-            // Return an array of the identified user or null for failure.
-            if ($result) {
-                return $result;
-            }
+                // Return an array of the identified user or null for failure.
+                if ($result) {
+                    return $result;
+                }
 
-            return null;
-        },
-    ]);
+                return null;
+            },
+        ]
+    ];
 
     // Using a result object to return error messages.
-    $authenticationService->loadIdentifier('Authentication.Callback', [
-        'callback' => function($data) {
-            // do identifier logic
-
-            if ($result) {
-                return new Result($result, Result::SUCCESS);
-            }
-
-            return new Result(
-                null,
-                Result::FAILURE_OTHER,
-                ['message' => 'Removed user.']
-            );
-        },
-    ]);
-
+    $identifier = [
+        'Authentication.Callback', [
+            'callback' => function($data) {
+                // do identifier logic
+
+                if ($result) {
+                    return new Result($result, Result::SUCCESS);
+                }
+
+                return new Result(
+                    null,
+                    Result::FAILURE_OTHER,
+                    ['message' => 'Removed user.']
+                );
+            },
+        ];
+    ];
 
 Identity resolvers
 ==================
@@ -183,17 +188,29 @@ reside under ``App\Identifier\Resolver`` namespace.
 
 Resolver can be configured using ``resolver`` config option::
 
-   $service->loadIdentifier('Authentication.Password', [
-       'resolver' => [
-            // can be a full class name: \Some\Other\Custom\Resolver::class
-           'className' => 'MyResolver',
-           // Pass additional options to the resolver constructor.
-           'option' => 'value',
-       ],
-   ]);
+    $identifier = [
+        'Authentication.Password', [
+            'resolver' => [
+                // can be a full class name: \Some\Other\Custom\Resolver::class
+                'className' => 'MyResolver',
+                // Pass additional options to the resolver constructor.
+                'option' => 'value',
+            ],
+        ];
+    ];
 
 Or injected using a setter::
 
    $resolver = new \App\Identifier\Resolver\CustomResolver();
    $identifier = $service->loadIdentifier('Authentication.Password');
    $identifier->setResolver($resolver);
+
+3.3.0 Deprecated.
+
+Use object injection then:
+
+    $resolver = new \App\Identifier\Resolver\CustomResolver();
+    $identifier = [
+        'Authentication.Password', [
+            'resolver' => $resolver;
+    ];
diff --git a/docs/en/index.rst b/docs/en/index.rst
@@ -94,13 +94,23 @@ define the ``AuthenticationService`` it wants to use. Add the following method t
             'queryParam' => 'redirect',
         ]);
 
+        // Define identifiers
         $fields = [
             AbstractIdentifier::CREDENTIAL_USERNAME => 'email',
             AbstractIdentifier::CREDENTIAL_PASSWORD => 'password'
         ];
+        $passwordIdentifier = [
+            'Authentication.Password', [
+                'fields' => $fields,
+            ],
+        ];
+
         // Load the authenticators. Session should be first.
-        $service->loadAuthenticator('Authentication.Session');
+        $service->loadAuthenticator('Authentication.Session', [
+            'identifier' => $passwordIdentifier,
+        ]);
         $service->loadAuthenticator('Authentication.Form', [
+            'identifier' => $passwordIdentifier,
             'fields' => $fields,
             'loginUrl' => Router::url([
                 'prefix' => false,
@@ -110,9 +120,6 @@ define the ``AuthenticationService`` it wants to use. Add the following method t
             ]),
         ]);
 
-        // Load identifiers
-        $service->loadIdentifier('Authentication.Password', compact('fields'));
-
         return $service;
     }
 

diff --git a/docs/en/middleware.rst b/docs/en/middleware.rst
@@ -42,18 +42,21 @@ inspecting the request object you can configure authentication appropriately::
         $service = new AuthenticationService();
         if (strpos($path, '/api') === 0) {
             // Accept API tokens only
-            $service->loadAuthenticator('Authentication.Token');
-            $service->loadIdentifier('Authentication.Token');
+            $service->loadAuthenticator('Authentication.Token', [
+                'identifier' => 'Authentication.Token',
+            ]);
 
             return $service;
         }
 
         // Web authentication
         // Support sessions and form login.
-        $service->loadAuthenticator('Authentication.Session');
-        $service->loadAuthenticator('Authentication.Form');
-
-        $service->loadIdentifier('Authentication.Password');
+        $service->loadAuthenticator('Authentication.Session', [
+            'identifier' => 'Authentication.Password',
+        ]);
+        $service->loadAuthenticator('Authentication.Form', [
+            'identifier' => 'Authentication.Password',
+        ]);
 
         return $service;
     }

diff --git a/docs/en/migration-from-the-authcomponent.rst b/docs/en/migration-from-the-authcomponent.rst
@@ -134,35 +134,43 @@ You’ll now have to configure it this way::
    // Instantiate the service
    $service = new AuthenticationService();
 
-   // Load identifiers
-   $service->loadIdentifier('Authentication.Password', [
-       'fields' => [
-           'username' => 'email',
-           'password' => 'password',
-       ]
-   ]);
-
-   // Load the authenticators
-   $service->loadAuthenticator('Authentication.Session');
-   $service->loadAuthenticator('Authentication.Form');
+   // Define identifier
+    $passwordIdentifier = [
+        'Authentication.Password', [
+            'fields' => [
+                'username' => 'email',
+                'password' => 'password'
+            ]
+        ],
+    ];
+
+    // Load the authenticators
+    $service->loadAuthenticator('Authentication.Session', [
+        'identifier' => $passwordIdentifier,
+    ]);
+    $service->loadAuthenticator('Authentication.Form', [
+        'identifier' => $passwordIdentifier,
+    ]);
 
 If you have customized the ``userModel`` you can use the following
 configuration::
 
-   // Instantiate the service
-   $service = new AuthenticationService();
-
-   // Load identifiers
-   $service->loadIdentifier('Authentication.Password', [
-       'resolver' => [
-           'className' => 'Authentication.Orm',
-           'userModel' => 'Employees',
-       ],
-       'fields' => [
-           'username' => 'email',
-           'password' => 'password',
-       ]
-   ]);
+    // Instantiate the service
+    $service = new AuthenticationService();
+
+    // Define identifier
+    $passwordIdentifier = [
+        'Authentication.Password', [
+             'resolver' => [
+                'className' => 'Authentication.Orm',
+                'userModel' => 'Employees',
+            ],
+            'fields' => [
+                'username' => 'email',
+                'password' => 'password'
+            ]
+        ],
+    ];
 
 While there is a bit more code than before, you have more flexibility in
 how your authentication is handled.