Authentication Support

I'd imagine we should support the methods offered by Core in some way.

For contrib, supporting Simple OAuth seems like the highest priority. Even within that we will have to prioritize the different grant types and options there. My perception has been that client credentials / bearer tokens are most commonly used.

I haven't used the JWT module, but having some kind of JWT support seems like it would be desirable as well.

That's already a lot :) Beyond this I think we'd prioritize based on demand.

+1 for JWT support. You can do some neat stuff with it like calling other services and validating with a shared key.

Here's a proposal for how we could prioritize these authentication options:

POC:
* Basic auth - I don't see basic auth as the highest priority, but I think supporting core is important and this should be the lowest effort way to prove out auth.

1.0:
* Simple OAuth - client credentials grant / bearer token. Both Simple Oauth and this specific authorization approach seem like a high priority due to how commonly they are used.
* Cookie based auth - prioritized due to inclusion in core.

Post 1.0:
* JWT - Excited about supporting this, but priority wise it seems lower than core and Simple OAuth options.
* Other Simple OAuth authorization methods based on feedback/demand.

Currently Not Prioritized:
* Other contrib solutions.

Looks good to me!

We need to also support partial decoupled scenario, where Decoupled app is served by Drupal in some inner page. This could be as simple as setting "credentials true" in the fetch application, but would be nice to have a public api for this.

Marking this as postponed as we focus on the vertical slice POC. Discussion can continue here for the future.

I've also always been assuming we'd allow 'custom' auth, but realizing it wasn't stated explicitly here. @mglaman brought up a relevant example in slack based on our POC basic auth:

I just read through this – is there a plan to support and else if type isn’t Basic and doing something like
headers.set(
"Authorization",
`${this.authentication.type} ${this.authentication.content}`,
);

that way other authorization header values “just work”

https://drupal.slack.com/archives/C05BP6659U0/p1695309895086679?thread_t...

Keeping this issue as postponed, but individual auth related issues have been added to the 1.0 Meta Issue.

Closing this. From my perspective we currently support:

* Basic Auth
* Simple Oauth
* Cookie Auth in a partially decoupled Drupal app (just works, didn't require any customization)
* Custom auth headers.

We also have an issue for JWT auth: https://www.drupal.org/project/api_client/issues/3376949 →

Also open to supporting other methods, but would like it to be driven by demand.