We use custom authenticators (independent on Nette\Security\Authenticator interface) which produce instances of Nette\Security\IIdentity so that it can be used for User#login($identity) afterwards. Inside of the identity, there is an object which need to be (de)serialized in a special way. IdentityHandler seems perfect for this job.

Sadly, in current implementation, IdentityHandler is only applied if it's implemented within Authenticator, but not standalone. As a workaround, I can:

• create fake authenticator implementing the Nette one and IdentityHandler as well (see below)
• don't use User at all

Example of fake authenticator:

class Authenticator implements \Nette\Security\Authenticator
{
 public function authenticate(...)
 {
 throw new Exception('Don\'t use me for authentication');
 }
 public function sleepIdentity(...) { ... } // real work
 public function wakeupIdentity(...) { ... } // real work

Suggestion

Support IdentityHandler on its own with a configuration param. User will require it from DI then.

namespace App;
class IdentityHandler implements \Nette\Security\IdentityHandler
{
 public function sleep(...) { ... } // real work
 public function wakeup(...){ ... } // real work
}

security:
 identityHandler: App\IdentityHandler