ADR-012: Authentication Service Priority 80 

Status

Accepted

Date

2026-03-14

Decision-makers

Sebastian Mendel

Context 

TYPO3's frontend authentication service chain processes services in descending priority order. SaltedPasswordService runs at priority 50. Third-party extensions commonly use various priorities:

  • LDAP extensions: typically 80-90
  • OAuth/OIDC extensions: typically 70-80
  • SAML extensions: typically 80-90
  • nr-passkeys-be: priority 80

The passkey auth service must intercept login requests before the password service but cooperate with other auth providers.

Decision 

Priority 80, matching nr-passkeys-be.

The PasskeyFrontendAuthenticationService runs at priority 80:

  • Above SaltedPasswordService (50) — passkey payloads are checked first
  • At same level as nr-passkeys-be (80) — consistent behavior
  • Below most LDAP/SAML providers (90+) — SSO providers take precedence

When the service receives a request without a passkey payload (_type: "passkey"), it returns 100 (continue chain), passing control to the next service. This means:

  • LDAP/SSO at 90: processes first, passkey at 80 only sees non-SSO requests
  • Passkey at 80: checks for passkey payload, passes non-passkey requests to password
  • Password at 50: handles traditional password authentication

Consequences 

Positive:

  • Consistent with nr-passkeys-be, reducing confusion
  • SSO providers at 90+ take precedence (correct: if IdP handles auth, passkey is irrelevant)
  • Non-passkey logins fall through cleanly to password service

Negative:

  • Priority collision possible if another extension also uses 80
  • TYPO3 does not guarantee order for same-priority services

Mitigation:

  • Document the priority in extension settings (not currently configurable, but could be)
  • The service's getUser() only activates when _type: "passkey" is present in loginData['uident'], so a priority collision with a non-passkey service (e.g., LDAP) is harmless — both services check for their own payload type

Alternatives Considered 

Priority 90 (above LDAP): Would intercept passkey payloads before LDAP, which is correct, but could interfere with SSO flows that should take absolute precedence.

Priority 60 (just above password): Would work but wouldn't match nr-passkeys-be, and would let more services process the request before passkeys are checked, adding unnecessary latency for passkey logins.

Configurable priority: Over-engineering for a niche concern. If an integrator needs a custom priority, they can override the service registration in ext_localconf.php.