Authentication overview

Authentication on Drupal.org, and for Drupal installations in general, refers to the process of verifying a user's identity before granting access to resources or functionalities. This is a fundamental security mechanism, differentiating legitimate users from unauthorized attempts. For Drupal.org itself, authentication primarily concerns user accounts for community contributions, issue queue participation, and module/theme downloads. For self-hosted Drupal sites, authentication extends to administrative access, content creation, and API interactions.

Drupal's core authentication system is built to be extensible, allowing for various methods to be integrated through modules. The default implementation relies on a username and password combination, securely storing password hashes rather than plain text. This foundational approach ensures a baseline level of security for user accounts across the platform and its many instances. The system is designed to be flexible, supporting integration with external identity providers and more advanced security protocols through its module architecture.

Understanding the authentication mechanisms is critical for both site administrators and developers. Proper configuration prevents unauthorized access, protects sensitive data, and maintains the integrity of the Drupal ecosystem. The flexibility of Drupal allows for tailoring authentication to specific project requirements, from simple login forms to complex multi-factor authentication (MFA) setups and single sign-on (SSO) integrations.

Supported authentication methods

Drupal's authentication capabilities are robust and extensible, catering to diverse security needs. The core system provides fundamental methods, while a vast ecosystem of contributed modules expands these options significantly. Below are the primary methods available:

  • Username and Password: This is the default and most common authentication method for both Drupal.org accounts and individual Drupal site users. Users provide a unique username and a corresponding password, which is then hashed and compared against stored credentials. Drupal uses industry-standard hashing algorithms to protect stored passwords.
  • Session-based Authentication: Once a user successfully logs in with a username and password, Drupal establishes a session. This session is typically maintained via a cookie on the user's browser, allowing them to navigate the site without re-authenticating for each page request. Sessions have configurable lifetimes and are tied to specific user IDs.
  • API Key Authentication (with modules): For programmatic access to Drupal's data via its RESTful API or GraphQL endpoints, API key authentication can be implemented using contributed modules. These modules allow site administrators to generate unique keys that can be passed in request headers or as query parameters. This method is suitable for server-to-server communication or applications that require specific permissions without full user login.
  • OAuth 2.0 (with modules): Drupal can act as both an OAuth 2.0 client and an OAuth 2.0 server through various contributed modules like Drupal OAuth Server. As a client, Drupal can integrate with external identity providers (e.g., Google, Facebook, GitHub) for single sign-on (SSO). As a server, Drupal can issue access tokens to third-party applications, allowing them to access Drupal resources on behalf of a user. This is a widely adopted standard for secure delegation of access, as described in the OAuth 2.0 framework specification.
  • Multi-Factor Authentication (MFA) (with modules): To enhance security, MFA can be added to Drupal sites using contributed modules such as MFA for Drupal. These modules support various second factors, including TOTP (Time-based One-Time Password) applications, SMS codes, or hardware tokens, significantly reducing the risk of unauthorized access even if a password is compromised.
  • SAML (Security Assertion Markup Language) (with modules): For enterprise environments, SAML integration allows Drupal to participate in single sign-on (SSO) systems with corporate identity providers. Modules like SAML Auth enable Drupal to act as a Service Provider (SP), relying on an Identity Provider (IdP) for user authentication.

Authentication Method Comparison

Method When to Use Security Level
Username/Password Standard user logins, administrative access. Moderate (requires strong password policies).
Session-based Maintaining user state after initial login. Moderate (tied to initial authentication, vulnerable to session hijacking without proper security).
API Key (with modules) Server-to-server communication, specific programmatic access. High (if keys are securely managed and rotated).
OAuth 2.0 (with modules) Delegated authorization for third-party applications, SSO with external providers. High (standardized, token-based, fine-grained permissions).
MFA (with modules) Adding a second layer of verification for critical accounts. Very High (significantly reduces risk of credential compromise).
SAML (with modules) Enterprise SSO integration with corporate identity providers. Very High (centralized identity management).

Getting your credentials

The process for obtaining credentials depends on whether you are interacting with Drupal.org as a community member or managing a self-hosted Drupal instance.

For Drupal.org Accounts:

To access Drupal.org's community features, such as contributing to issue queues, downloading modules, or participating in forums, you need a user account. You can register for a new Drupal.org account by providing a unique username, email address, and setting a password. After registration, a verification email is sent to confirm your identity. Once confirmed, you can log in using your chosen username and password.

For Self-Hosted Drupal Sites:

  1. Administrator Account: During the initial installation of a Drupal site, you will be prompted to create the site's first administrator account. This involves setting a username, password, and email address for the super-user account, which has full control over the site. It is crucial to choose a strong, unique password for this account.
  2. User Accounts: As a site administrator, you can create new user accounts through the administrative interface (typically at /admin/people/create). For each new user, you define a username, email, password, and assign roles that determine their permissions. Users can also register themselves if public registration is enabled in your site's configuration.
  3. API Keys (if using modules): If your Drupal site uses modules that provide API key authentication (e.g., for REST API access), the process for generating these keys is typically handled within the module's configuration settings. For instance, a module might offer an interface under /admin/config/services/api-keys where you can generate, revoke, and manage keys, often associating them with specific users or roles.
  4. OAuth 2.0 Client Credentials (if acting as OAuth Server): If you configure Drupal as an OAuth 2.0 server using a module, you would typically generate client IDs and client secrets within the module's configuration. These credentials are then provided to third-party applications that wish to access your Drupal site's resources on behalf of users.

Authenticated request example

Since Drupal's core API authentication typically relies on session cookies for browser-based interactions and uses contributed modules for API key or OAuth-based access, a generic example would focus on a common scenario: making an authenticated request to a Drupal REST API endpoint using an API key (assuming a module like REST API Key Authentication is installed and configured).

First, ensure you have an API key generated and configured with appropriate permissions on your Drupal site. Let's assume you have a key: your_api_key_12345.

To fetch a list of nodes (e.g., articles) from your Drupal site's REST API, you might make a GET request with the API key included in the X-API-Key header.

curl -X GET \
  'https://your-drupal-site.com/jsonapi/node/article' \
  -H 'X-API-Key: your_api_key_12345' \
  -H 'Accept: application/vnd.api+json'

In this example:

  • https://your-drupal-site.com/jsonapi/node/article is the endpoint for retrieving article nodes using Drupal's JSON:API module. The specific endpoint will vary based on your content types and enabled API modules.
  • -H 'X-API-Key: your_api_key_12345' sends your API key in the custom X-API-Key header. The exact header name might be configurable depending on the API key authentication module used.
  • -H 'Accept: application/vnd.api+json' specifies that the client expects a JSON:API compliant response.

For session-based authentication in a web browser, a user simply logs in via the standard login form, and subsequent requests automatically include the session cookie. For OAuth 2.0, the process involves obtaining an access token through an authorization flow and then including that token in the Authorization: Bearer <token> header for API requests, as detailed in the Google OAuth 2.0 documentation.

Security best practices

Implementing robust security practices for authentication in Drupal is paramount to protect your site and user data. Adhering to these best practices helps mitigate common vulnerabilities identified by organizations like OWASP.

  1. Strong Password Policies: Enforce the use of strong, unique passwords for all user accounts, especially administrative ones. This includes requirements for minimum length, complexity (mix of uppercase, lowercase, numbers, and symbols), and disallowing common or previously breached passwords. Drupal's core password strength indicator helps users choose better passwords.
  2. Multi-Factor Authentication (MFA): Where possible, enable and encourage the use of MFA for all users, particularly for administrative roles. MFA adds an essential layer of security by requiring a second verification method beyond just a password. Contributed modules make MFA integration straightforward for Drupal sites.
  3. Regular Software Updates: Keep your Drupal core, modules, and themes updated to the latest stable versions. Security updates frequently patch vulnerabilities that could be exploited for unauthorized access or other attacks. Subscribe to Drupal's security advisories to stay informed about critical updates.
  4. Role-Based Access Control (RBAC): Implement the principle of least privilege. Assign users only the permissions necessary for their roles. Avoid granting administrative privileges to users who do not absolutely require them. Regularly review user roles and permissions to ensure they remain appropriate.
  5. Secure Credential Storage: Drupal core securely hashes passwords using modern, adaptive algorithms (e.g., bcrypt). Ensure that any custom authentication methods or modules you implement also follow secure password hashing practices. Never store plain-text passwords.
  6. Protect API Keys and Secrets: If using API keys or OAuth client secrets, treat them as sensitive credentials. Do not hardcode them directly into client-side code or public repositories. Use environment variables, secure configuration files, or secret management services. Implement key rotation policies and revoke compromised keys immediately.
  7. HTTPS Everywhere: Always use HTTPS to encrypt all communication between users and your Drupal site. This protects login credentials, session cookies, and other sensitive data from interception during transit. Obtain and configure SSL/TLS certificates correctly.
  8. Session Security: Configure session lifetimes appropriately to balance security and usability. Implement measures to prevent session hijacking, such as regenerating session IDs after successful login and configuring secure cookie flags (HttpOnly, Secure, SameSite).
  9. Brute-Force Protection: Implement measures to prevent brute-force login attempts, such as limiting login attempts, CAPTCHA challenges after multiple failures, and IP blocking. Drupal's core includes some basic protections, but modules can enhance this (e.g., CAPTCHA module).
  10. Logging and Monitoring: Enable detailed logging for authentication events (successful logins, failed attempts, password resets). Regularly review these logs for suspicious activity. Integrate with security information and event management (SIEM) systems if available.
  11. Web Application Firewall (WAF): Consider deploying a WAF in front of your Drupal site to protect against common web attacks, including those targeting authentication mechanisms, such as SQL injection and cross-site scripting (XSS), which can sometimes lead to credential compromise.