Hi,
Yours is a complicated question, and because of that I can't address every possible aspect. Overall it might be easier if we could see some condensed code examples of your work. However, I think I can provide some direction.
> What I'm missing is ... how does the auth actually happen, i.e. where do I call LoginService::login()? In a Config method?
I opine that those services should be seen as part of your domain layer (in ADR terms) or your model layer (in MVC terms). As such, there should be an ADR Action, or an MVC Controller method, that calls the service. Same goes for the Logout service.
The Resume service, though, that one's a little more complicated. Depending on your needs, it might very well be part of a Config::modify() method to get the session resumed at the earliest possible time. However, I suggest that you place it in your Domain (or Model) layer as well, probably in an Application Service that your Action (or Controller) talks to, just before you test for authentication and authorization within that particular application service.
> I need to authenticate on some actions, but not others, so I have some idea of restricted vs public actions. I have a nice set of Callable Action strategies set up to handle routes by the dispatcher. I was thinking I could subclass the abstract Action as 'PrivateAction' and then add some logic in there to accept an auth service wrapper class. The wrapper class would encapsulate Aura.Auth, and accept bits of it via dependency injection. Then in PrivateAction::__invoke() I could add a call to this wrapper and have it perform auth at that point.
>
> I like this and I don't. What I like about it is, whether authentication is required, and the response if authentication fails, is all handled in the action object and that can be very convenient. However it feels like a poor separation of concerns.
I totally get you on that. I agree that it feels like a poor separation. Part of that is because we usually think of a Controller action method as handling some amount of business logic. This is why I wrote up the Action-Domain-Responder paper, as an alternative that more strictly defines where those separations should be (although you could apply the same ideas with MVC, as long as you had enough rigor to do it consistently).
<
http://pmjones.github.io/adr/>
Thus my suggestion that authentication and authorization belong in the Domain (or Model) layer, to get the Action (or Controller) out of the business of handling that kind of work. The Action ends up being pretty dumb, only passing along input to the underlying Domain elements, and passing back output from the Domain to the Responder. Neither the Action nor the Responder really cares if you are authenticated or not, only the Domain does, so that's where authentication logic should go.
> Am I on the right track with one of these, or is there a better way to do it?
There's probably better ways to do it, even than I have mentioned here. Please let me know if my opinions and advice made sense or not. Good luck!
--
Paul M. Jones
pmjo...@gmail.com
http://paul-m-jones.com
Modernizing Legacy Applications in PHP
http://mlaphp.com