loadIdentifier() deprecation even in a default configuration

[umer936]

A basic config like:

public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
{
    $service = new AuthenticationService();

    $loginUrl = Router::url([
        'prefix' => false,
        'plugin' => null,
        'controller' => 'Users',
        'action' => 'login',
    ]);

    // Define where users should be redirected to when they are not authenticated
    $service->setConfig([
        'unauthenticatedRedirect' => $loginUrl,
        'queryParam' => 'redirect',
    ]);

    // Load the authenticators. Session should be first.
    $service->loadAuthenticator('Authentication.Session');

    return $service;
}

gives:

User Deprecated: Since 3.3.0: loadIdentifier() usage is deprecated. Directly pass `'identifier'` config to the Authenticator. /web/swap/vendor/cakephp/cakephp/src/Core/ObjectRegistry.php, line: 115 You can disable all deprecation warnings by setting `Error.errorLevel` to `E_ALL & ~E_USER_DEPRECATED`. Adding `vendor/cakephp/cakephp/src/Core/ObjectRegistry.php` to `Error.ignoredDeprecationPaths` in your `config/app.php` config will mute deprecations from that file only.

This is due to:
https://github.com/cakephp/authentication/blob/3.x/src/Authenticator/AuthenticatorCollection.php#L68 , which checks !empty($config['identifier'].

But, $config['identifier'] is empty in this case as $service->loadAuthenticator('Authentication.Session');
doesn't need one.

Full trace:

ErrorException:User Deprecated: Since 3.3.0: loadIdentifier() usage is deprecated. Directly pass `'identifier'` config to the Authenticator. /web/swap/vendor/cakephp/cakephp/src/Core/ObjectRegistry.php, line: 115 You can disable all deprecation warnings by setting `Error.errorLevel` to `E_ALL & ~E_USER_DEPRECATED`. Adding `vendor/cakephp/cakephp/src/Core/ObjectRegistry.php` to `Error.ignoredDeprecationPaths` in your `config/app.php` config will mute deprecations from that file only.
`0 /web/swap/vendor/cakephp/cakephp/src/Core/functions.php(373): Cake\Core\deprecationWarning
`1 /web/swap/vendor/cakephp/authentication/src/Authenticator/AuthenticatorCollection.php(71): Authentication\Authenticator\AuthenticatorCollection::_create
`2 /web/swap/vendor/cakephp/cakephp/src/Core/ObjectRegistry.php(115): Cake\Core\ObjectRegistry::load
`3 /web/swap/vendor/cakephp/authentication/src/AuthenticationService.php(159): Authentication\AuthenticationService::loadAuthenticator
`4 /Application.php(140): App\Application::getAuthenticationService
`5 /web/swap/vendor/cakephp/authentication/src/Middleware/AuthenticationMiddleware.php(136): Authentication\Middleware\AuthenticationMiddleware::getAuthenticationService
`6 /web/swap/vendor/cakephp/authentication/src/Middleware/AuthenticationMiddleware.php(77): Authentication\Middleware\AuthenticationMiddleware::process
`7 /web/swap/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Runner::handle
`8 /web/swap/vendor/cakephp/cakephp/src/Http/Middleware/BodyParserMiddleware.php(157): Cake\Http\Middleware\BodyParserMiddleware::process
`9 /web/swap/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Runner::handle
`10 /web/swap/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php(117): Cake\Routing\Middleware\RoutingMiddleware::process
`11 /web/swap/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Runner::handle
`12 /web/swap/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php(70): Cake\Routing\Middleware\AssetMiddleware::process
`13 /web/swap/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Runner::handle
`14 /web/swap/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php(115): Cake\Error\Middleware\ErrorHandlerMiddleware::process
`15 /web/swap/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Runner::handle
`16 /web/swap/vendor/cakephp/debug_kit/src/Middleware/DebugKitMiddleware.php(60): DebugKit\Middleware\DebugKitMiddleware::process
`17 /web/swap/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Runner::handle
`18 /web/swap/vendor/cakephp/cakephp/src/Http/Runner.php(60): Cake\Http\Runner::run
`19 /web/swap/vendor/cakephp/cakephp/src/Http/Server.php(104): Cake\Http\Server::run
`20 /web/swap/webroot/index.php(37): {main}

---

I can submit a PR. To clarify, is it just in the case of Session that there will not be an identifier? Or do other Authenticators have defaults to where a value there would not be needed?

[umer936]

I feel like even form shouldn't need one if it's [username, password] as those are the default fields https://github.com/cakephp/authentication/blob/3.x/src/Authenticator/FormAuthenticator.php#L44 , so shouldn't the default Identifier be 'Authentication.Password'?

This feels like it should be enough

    public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
    {
        $service = new AuthenticationService([
            'unauthenticatedRedirect' => [
                'prefix' => false,
                'plugin' => null,
                'controller' => 'Users',
                'action' => 'login',
            ],
            'queryParam' => 'redirect',
        ]);

        // Load the authenticators. Session should be first.
        $service->loadAuthenticator('Authentication.Session');
        $service->loadAuthenticator('Authentication.Form');

        return $service;
    }

but that's a call on y'alls part.

This currently works (but with the deprecation warning):

    public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
    {
        $service = new AuthenticationService([
            'unauthenticatedRedirect' => [
                'prefix' => false,
                'plugin' => null,
                'controller' => 'Users',
                'action' => 'login',
            ],
            'queryParam' => 'redirect',
        ]);

        // Load the authenticators. Session should be first.
        $service->loadAuthenticator('Authentication.Session');
        $service->loadAuthenticator('Authentication.Form', [
            'identifier' => 'Authentication.Password',
        ]);

        return $service;
    }

[ADmad]

To clarify, is it just in the case of Session that there will not be an identifier? Or do other Authenticators have defaults to where a value there would not be needed?

While not the default, the JwtAuthenticator too can be configured to directly return the JWT's payload as identity and not need an identifier. So the deprecation warning in AuthenticatorCollection::_create() should be removed.

so shouldn't the default Identifier be 'Authentication.Password'?

Now that identifiers are meant to be set per authenticator, having a default identifier configured for authenticators (where applicable) makes sense. But that can be addressed separately.

[umer936]

Solved in #734.