Modular authentication system

Now session cookies is not the only way to authenticate user supported by drupal core.

With commit aa9c2cc a new pluggable authentication system has been introduced.

Main parts of the system are AuthenticationManager and authentication providers. Authentication providers must be registered in the dependency injection container with tag "authentication_provider".

authentication.cookie:
    class: Drupal\Core\Authentication\Provider\Cookie
    tags:
      - { name: authentication_provider, priority: 0 }

It is very important to register authentication providers with "authentication." prefix in the key.

On each request the applies method of each provider will be called in the order of their priority. The first provider returning TRUE gets the chance to authenticate the user.

Authentication provider should implement AuthenticationProviderInterface and can do the following:

• method "authenticate" -- to tell the system what user is currently authenticated
• method "cleanup" -- perform actions after most of the code executed. This method mainly was introduced for cookie provider to commit the session
• method "handleException" -- this allows for provider to run extra actions if exception has been thrown. For example it is used by basic authentication provider to set "WWW-Authenticate" header in case of anonymous user got access denied

Each route can have a list of allowed authentication providers using the "_auth" option:

module.router_test_11:
  path: '/router_test/test11'
  options:
    _auth: [ 'http_basic' ]
  requirements:
    _user_is_logged_in: 'TRUE'
  defaults:
    _controller: '\Drupal\router_test\TestContent::test11'

In case the user is authenticated with a method that is not listed in this route -- he gets reset to anonymous. In this way we can build REST API that supports only some of authentication providers registered in the system.