Module Development

API Authentication and Authorization for Drupal 8, 9, and 10

In a monolithic architecture (non-decoupled) there is an implicit proof that the user in the front-end is the same one in the back-end. This empowers the front-end to offload all the authentication and authorization to the back-end, typically using a session cookie. In a decoupled architecture there will be multiple consumers, and some of them will not support using cookies. There are several alternatives to session cookies to authenticate our requests in a decoupled project.

In this tutorial we will:

  • Learn about authorization versus authentication
  • The impact on a decoupled project of having logged in users
  • Learn about the available options for authentication when using a Drupal back-end.

By the end of this tutorial you should be able to explain the difference between authentication and authorization and know how to get started implementing both in a Drupal-backed web services API.

Decoupled Headless Drupal