In a new post to the Apigility forums today Matthew Weier O'Phinney has announced the release of an authentication/authorization component for the recently announced project from Zend. Apigility is a Zend Framework-based tool for easily constructing and managing an API.
We've been working hard on Apigility since ZendCon, and have released some more code into the wild. zf-mvc-auth exists to provide both authentication and authorization for your APIs; in fact, it's a bit of a general-purpose library for ZF2 MVC apps! Right now, we support HTTP basic and digest authentication out of the box, and will be working next on OAuth support. Authorization is done by default via ZendPermissionsAcl, as we discovered a problem with using RBAC: RBAC is deny-by-default, which does not work when you want an open-by-default schema. You may opt-in to deny-by-default, as well as mark individual services as requiring permission by default. Finally, you have the option of denying/allowing per HTTP method of a service as well.
You can find out more details about this functionality in this quick screencast. The zf-apgility module depends on this new zf-mvc-auth module, so it will be included and available by default in your APIs. In that same post Matthew also talks about the listing of the Apigility packages on Packagist service and a note for those wanting to use the built-in HTTP server to run the tool (a PHP version dependency).