How does Flow differentiate between different authentication providers in the same application

I my application I have one package the contains the “application” frontend, with user authentication and a authenticationProvider defined like

Neos:
  Flow:
    security:
      authentication:
        authenticationStrategy: oneToken
        providers:
          'Vendor.Application:User':
            provider: 'PersistedUsernamePasswordProvider'
            token: 'Neos\Flow\Security\Authentication\Token\UsernamePassword'
            requestPatterns:
              'Vendor.Application:ApplicationControllers':
                pattern: 'ControllerObjectName'
                patternOptions:
                  controllerObjectNamePattern: 'Vendor\Application\Controller\.*'
            entryPoint: WebRedirect
            entryPointOptions:
              routeValues:
                '@package': 'Vendor.Application'
                '@controller': 'Login'
                '@action': 'login'
                '@format': 'html'

and a separate package that contains a “administration” with a administration provider configured in the same way, but with the providername 'Vendor.Backoffice:User'.

These two parts are separate system and if you authenticate in the backoffice, doesn’t mean that you authenticated as a application user - and the other around as well :slight_smile:

But, every time I authenticate to my Backoffice and then browse to the application how does Flow differentiate?

How do I avoid that ex. the viewhelper IfAuthenticated doesn’t end up returning a positive result in the `Application´ content, when I’m only authenticated in the Backoffice?

Can anybody put some light on this topic, it’s a missing “in-depth” thing in the security documentation that I would love to know more about :slight_smile:

The requestPatterns restrict the provider using controllerObjectNamePattern making sure the provider will only authenticate requests matching that. As view helpers are always used inside controller actions (unless you bypass that using request components or similar) you can be sure a that the providers token will only be authenticated when actually showing the Backoffice or Application. E.g. if you created a third independent controller not matching those request patterns, IfAuthenticated would never return true.

1 Like