CakePHP 4 Authentication – Tutorial

CakePHP 4 Authentication

CakePHP 4 Authentication tutorial, we will learn a way to use this plugin, how to install and configure it in our applications

CakePHP 4 Authentication – Plugin

We will start this tutorial by installing the package with composer

composer require "cakephp/authentication:^2.0"

Once the package is installed we proceed to add the codes in the relevant areas, first we add the component in the AppController.php file

namespace App\Controller;

use Cake\Controller\Controller;

class AppController extends Controller
    public function initialize(): void



We continue with the next step, now we go to the Application.php file and we import the following classes, pay attention where there is a duplicate class in our code

use Authentication\AuthenticationService;
use Authentication\AuthenticationServiceInterface;
use Authentication\AuthenticationServiceProviderInterface;
use Authentication\Identifier\IdentifierInterface;
use Authentication\Middleware\AuthenticationMiddleware;
use Cake\Routing\Router;
use Psr\Http\Message\ServerRequestInterface;

We continue now with the implementation of interfaces

class Application extends BaseApplication implements AuthenticationServiceProviderInterface

It’s time to add the authentication plugin

public function bootstrap(): void

        if (PHP_SAPI === 'cli') {
        } else {
                (new TableLocator())->allowFallbackClass(false)
        if (Configure::read('debug')) {

We add the relevant middleware to execute the application logic

public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
        ->add(new ErrorHandlerMiddleware(Configure::read('Error')))
        ->add(new AssetMiddleware([
            'cacheTime' => Configure::read('Asset.cacheTime'),
        ->add(new RoutingMiddleware($this))
        ->add(new BodyParserMiddleware())

        ->add(new AuthenticationMiddleware($this))  

        ->add(new CsrfProtectionMiddleware([
            'httponly' => true,

        return $middlewareQueue;

We continue adding the method that allows us to authenticate

  public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
        $service = new AuthenticationService();

            'unauthenticatedRedirect' => Router::url([
                'prefix' => false,
                'plugin' => null,
                'controller' => 'Users',
                'action' => 'login',
            'queryParam' => 'redirect',

        $fields = [
            IdentifierInterface::CREDENTIAL_USERNAME => 'username',
            IdentifierInterface::CREDENTIAL_PASSWORD => 'password'
        $service->loadAuthenticator('Authentication.Form', [
            'fields' => $fields,
            'loginUrl' => Router::url([
                'prefix' => false,
                'plugin' => null,
                'controller' => 'Users',
                'action' => 'login',
        $service->loadIdentifier('Authentication.Password', compact('fields'));

        return $service;

We add the credentials with which we want to log in, the options are username or email