RFC: Service identifier collection

[dereuromark]

I wonder, is there a technical reason why we are using a collection for Identifiers and match by a "key" per type?

Usually you would only use classic dependency inversion and assign an identifier to a authenticator, done.
That way there wouldn't be any risks for collision (same key used twice by accident).

If there is a good reason:
Should we add - in debug mode - a check that those defined in the collection do not use the same key?
some use "sub", "id", "key" and "username", but custom ones put in on first sight would not necessarily be very clear here,
and there can be a change that something goes wrong, with auth I am not sure we want to take that risk.

[markstory]

Usually you would only use classic dependency inversion and assign an identifier to a authenticator, done.

I think the thinking was that you could reuse identifiers across authenticators, or have one authenticator use multiple identifiers. I agree that it would be simpler if we connected identifiers & authenticators more directly.

[dereuromark]

Not sure how often that use case appears. But for now this sure adds quite a bit of complexity.

[LordSimal]

The PasswordIdentifier is at least used for the SessionAuthenticator (if identify is enabled), CookieAuthenticator and of course FormAuthenticator.

Thats why Authenticators can be assigned either 1 single identifier or an IdentifieCollection (because both implement the IdentifierInterface). By default we just pass on all configured identifiers to the AuthenticatorCollection and therefore iterate over all identifiers (even if some of them don't make sense for a specific authenticator)

I'd personally prefer to remove the IdentifierCollection as a whole and adjust the way how authenticators and identifiers are created. E.g. pass on the identifier objects to the authenticator so its clear which authenticator uses which identifier.

[dereuromark]

#712 solves it IMO as minor with deprecations.
A future major can clean this up then.