Hi, I have read the documentation, but it is not clear for me. I want to allow users to access using the web interface (username/password with session/cookies, but not SPA), but also programatically using JWT (making it compatible in a future with SPA). How can I configure Auth to first try with form credentials, and if not found, try with JWT header? I am using CakePHP 3.6 and admad/cakephp-jwt-auth 2.3.2
I don’t know much about admad/cakephp-jwt-auth, but I’ve recently done an implementation with Okta using their jwt verifier. In cake you normall call $this->Auth->login() to log someone in. I don’t see any reason that you couldn’t attempt normal CakePHP authentication and then if it fails, attempt other means of authentication. Once you have authenticated data, you could call $this->Auth->login to log them in with that data.
Don’t mix stateful and stateless auths. Use Form
authenticator only for your webapp.
For SPA use a separate route prefix api
for example and configure JWT auth only for that prefix. You can have separate AppController
for the api
prefix and configure Auth
component for it with just JWT authenticator. Read the tutorial linked in my plugins’ readme.