Return null from getIdentificationProvider() for identifier-less authenticators#808
Merged
Merged
Conversation
…enticators An authenticator can legitimately operate without an identifier, most notably the session authenticator with its default `identify` => false: it authenticates from stored session data and never needs to identify. AbstractAuthenticator's getIdentifier() throws in that case, so AuthenticationService:: getIdentificationProvider() blew up whenever such an authenticator was the successful one (e.g. when a DebugKit panel or any consumer read the provider). Introduce a dedicated MissingIdentifierException (extends RuntimeException for backwards compatibility) thrown by AbstractAuthenticator::getIdentifier(), and catch exactly that in getIdentificationProvider() to return null. Catching the specific type preserves lazy identifier creation in subclasses (Form, Cookie, Jwt, Token, ...) and does not mask genuine identifier configuration failures, which still throw a plain RuntimeException from IdentifierFactory.
ADmad
reviewed
Jul 17, 2026
ADmad
approved these changes
Jul 17, 2026
ADmad
left a comment
Member
There was a problem hiding this comment.
LGTM besides the version nitpick.
dereuromark
force-pushed
the
fix-identification-provider-null
branch
from
July 17, 2026 12:21
bfaeec1 to
a8822d5
Compare
dereuromark
force-pushed
the
fix-identification-provider-null
branch
from
July 17, 2026 12:22
a8822d5 to
9c2b90f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #179.
Problem
On 4.x an authenticator's identifier is optional.
AuthenticatorCollection::create()passesnullwhen noidentifieris configured, and the session authenticator (defaultidentify=> false) authenticates purely from stored session data, so it legitimately has no identifier.AbstractAuthenticator::getIdentifier()throws in that case.AuthenticationService::getIdentificationProvider()called it unconditionally, so the whole request blew up whenever such an authenticator was the successful one:This surfaces for any consumer that reads the identification provider after a session based login (the reporter hit it via the TinyAuth DebugKit panel).
Fix
MissingIdentifierException(extendsRuntimeExceptionfor backwards compatibility) thrown byAbstractAuthenticator::getIdentifier()when no identifier is available.getIdentificationProvider()catches exactly that type and returnsnull.Catching the specific type rather than a bare
RuntimeException:FormAuthenticator,CookieAuthenticator,JwtAuthenticator,TokenAuthenticator,PrimaryKeySessionAuthenticator, ...) whose overriddengetIdentifier()builds a default identifier on first call, andRuntimeExceptionfromIdentifierFactory.Backwards compatibility
MissingIdentifierException extends RuntimeException, so existingcatch (RuntimeException)blocks and the message are unchanged.