Drupal 7 only supported cookie authentication. Drupal 8, because it wants to be API-first, has the concept of
authentication providers →
. The only one included with Drupal core is \Drupal\basic_auth\Authentication\Provider\BasicAuth, in the basic_auth module.
This means that when you use the REST module in core (or the JSON API → or GraphQL → modules in contrib), you can only use:
Neither of these are considered best practices when interacting with REST APIs. In fact, all of them are terrible choices, and are heavily looked down upon.
The vast majority of these APIs use OAuth 2.0. Specifically, OAuth 2 bearer token.
As part of the API-first initiative ( #2757967: API-first initiative → ), we'd like to propose to add OAuth2 to Drupal 8.3 core as an experimental module. This should come as no surprise because #2757967 has mentioned it since being published on June 29.
@e0ipso → is the maintainer of the https://www.drupal.org/project/simple_oauth → module, which implements OAuth2 bearer token. Unfortunately, it's all Drupal-specific code. Even though the OAuth 2.0 spec is notoriously difficult to implement correctly/completely. So, bringing this module to Drupal 8 core would've had quite a big associated risk: we'd be taking on building and maintaining our own implementation of an OAuth 2 server.
A much lower risk would be to use the PHP library that is the most widely installed/depended upon library in the entire PHP ecosystem to build an OAuth 2 server: thephpleague/oauth2-server. We proposed he rewrite his module on top of that. e0ipso started doing so, and in fact finished doing so a few days ago:
https://www.drupal.org/project/simple_oauth/releases/8.x-2.0-alpha1 →
is the first release of the 8.x-2.x branch.
Even though this branch of the module has only existed for a very short time, we think it's appropriate to include it in Drupal 8.3:
thephpleague/oauth2-server with more than one million downloads and extensive test coverage. This library is used for OAuth purposes in popular frameworks like Laravel and Cake PHP 3. The library implements the following RFCs:
oauth2_advanced contrib module.oauth2 authentication to Drupal 8 core as an experimental module.oauth2_advanced module in Drupal 8 contrib.)None.
None.
None.
Needs work
General
It is used to alert the framework manager core committer(s) that an issue significantly impacts (or has the potential to impact) multiple subsystems or represents a significant change or addition in architecture or public APIs, and their signoff is needed (see the governance policy draft for more information). If an issue significantly impacts only one subsystem, use Needs subsystem maintainer review instead, and make sure the issue component is set to the correct subsystem.
It is used to alert the product manager core committer(s) that an issue represents a significant new feature, UI change, or change to the "user experience" of Drupal, and their signoff is needed. If an issue significantly affects the usability of Drupal, use Needs usability review instead (see the governance policy draft for more information).
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
The Ideas project is being deprecated. As discussed in a core committer meeting issues that are adding modules are being moved to the Drupal CMS project for discussion.
This wouldn't go into vanilla Drupal CMS, but would make sense for site templates with this requirement.