You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've identified the following section in ZF\MvcAuth\Authentication\DefaultAuthenticationListener's __invoke function responsible for not challenging the client:
$type = $this->getTypeFromMap($mvcEvent->getRouteMatch());
if (false === $type && count($this->adapters) > 1) {
// Ambiguous situation; no matching type in map, but multiple
// authentication adapters; return a guest identity.
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\MvcAuth\Identity', $identity);
return $identity;
}
$type = $type ?: $this->getTypeFromRequest($request);
if (false === $type) {
// No authentication type known; trigger any pre-flight actions,
// and return a guest identity.
$this->triggerAdapterPreAuth($request, $response);
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\MvcAuth\Identity', $identity);
return $identity;
}
// Authenticate against first matching adapter
$identity = $this->authenticate($type, $request, $response, $mvcAuthEvent);
// If the adapter returns a response instance, return it directly.
if ($identity instanceof HttpResponse) {
return $identity;
}
// If no identity returned, create a guest identity
if (! $identity instanceof Identity\IdentityInterface) {
$identity = new Identity\GuestIdentity();
}
Changing it like this, the client is at least challenged when no credentials are submitted:
$type = $this->getTypeFromMap($mvcEvent->getRouteMatch());
if (false === $type && count($this->adapters) > 1) {
// Ambiguous situation; no matching type in map, but multiple
// authentication adapters; return a guest identity.
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\MvcAuth\Identity', $identity);
return $identity;
}
$typeFromRequest = $this->getTypeFromRequest($request);
$type = $typeFromRequest ? "{$type}-{$typeFromRequest}" : false;
if (false === $type) {
// No authentication type known; trigger any pre-flight actions,
// and return a guest identity.
$this->triggerAdapterPreAuth($request, $response);
$identity = new Identity\GuestIdentity();
$mvcEvent->setParam('ZF\MvcAuth\Identity', $identity);
return $identity;
}
// Authenticate against first matching adapter
$identity = $this->authenticate($type, $request, $response, $mvcAuthEvent);
// If the adapter returns a response instance, return it directly.
if ($identity instanceof HttpResponse) {
return $identity;
}
// If no identity returned, create a guest identity
if (! $identity instanceof Identity\IdentityInterface) {
$identity = new Identity\GuestIdentity();
}
The solution offered above indeed triggers the Digest challenge, it is not complete though as the response is not an API problem with status 401, but a successful one with data in the body.
I'm facing the situation, that the API client isn't challenged when authorization is required for a service and no Authorization header is given:
my config:
Sending the following request, should challange the client, but the server does not include a WWW-Authenticate header in its response:
I've identified the following section in
ZF\MvcAuth\Authentication\DefaultAuthenticationListener
's__invoke
function responsible for not challenging the client:Changing it like this, the client is at least challenged when no credentials are submitted:
Originally posted by @VOONWerbeagentur at zfcampus/zf-mvc-auth#101
The text was updated successfully, but these errors were encountered: