Securing REST API on Play framework and OAuth2
Solution 1
You could use a module called SecureSocial.
https://github.com/jaliss/securesocial/
This one is quite refined and many people in Play community seem to be aware/using this module.
For authorization might be useful. https://github.com/schaloner/deadbolt-2/
For end to end scala stuff, https://github.com/t2v/play20-auth
Solution 2
I ported Apache Amber to Play2 Scala, here is the link: https://github.com/cleanyong/oauth2play2scala
The reason to port Apache Amber is:
- it been tested
- better than home made
- it fit Play2 Scala API
- easy to use
- not intrusive
If you want to setup oauth2 server on your site, you can try use my port. It has document.
Solution 3
Basically, the standard flow is the following:
- on each request, check in the cookie ("session" in the Play! dialect) if it contains an id
- if not, ask the user to authenticate with the provider (Facebook or something else)
- If ok, the provider will return an id, save this id in your persistence system (registration), and in the current cookie/session
- on the next requests, check if the id exists in the cookie/session and corresponds to an existing user in your persistence system
- To "logout", just clear the cookie/session
If you want more details, just ask :-)
Solution 4
OAuth is an Authorization Protocol, so if you're looking at a Authentication Solution, this might not be the one.
You're question saying the consumer of the API will be various application. This lead to 2 scenarios,
1. Where there is no end user involved (grant_type: client_credential)
2. Where end-user can consume these APIs on multiple Application (Owned by your Org) (grant_type: implicit/password)
3. Where end-user can consume these APIs via third Party Applications.(authrization_code)
To support OAuth Eco-System you need a Key Management System. To,
- Generate Key/Secret for Apps.
- Generating AccessToken/Refresh_token/authorization_code
now coming to endpoint you would have to expose,
3-Legged OAuth
GET /authorize authorize{entry point/ initiate oauth}
Sample Call: http://YourAPIService.com/authorize?response_type=code&client_id=GG1IbStzH45ajx9cEeILqjFt&scope=READ&redirect_uri=www.google.com
GET /login login (Call Page for login App, 302 redirected from /authorize)
Sample Call: http://YourAPIService.com/v1/oauth20/login?response_type=code&client_id=GG1IbStzH45ajx9cEeILqjFt&scope=READ&redirect_uri=www.google.com
POST /dologin consentPage http://YourAPIService.com/dologin
Submit the credential, On success, render the application page
POST /grantpermission consentSubmission http://YourAPIService.com/grantpermission
Permission has been granted/declined. Send a 302 to generate authorization_code
GET /code AuthorizationCode {To generate auth code}
Sample Call: http://YourAPIService.com/code?client_id=GG1IbStzH45ajx9cEeILqjFt&response_type=code&[email protected]&redirect_uri=www.google.com
POST /token GenerateAccessToken http://YourAPIService.com/token
Sample call: http://kohls-test.mars.apigee.net/v1/oauth20/token
Header: Authorization: Basic R0cxSWJTdHpINDVhang5Y0VlSUxxalFj its generated with apps Api Key & Secret.
Payload:
grant_type=authorization_code&scope=x&redirect_uri=www.google.com&code=abc123
Otherwise simplest/robust solution would be, http://apigee.com
You can use existing OAuth ecosystem of Apigee.
Solution 5
I did not try it myself , but how about tuxdna module. As in the github repo it says:
OAuth2 Server using Play! 2.0 Framework
I hope this helps
Marco
Updated on July 09, 2022Comments
-
Marco almost 2 years
I am developing an application with Play 2.0 and Scala that exposes some REST API. These APIs will be used by different applications, web, mobile or desktop, so the OAuth protocol (OAuth2) seems the most suitable.
Also I would initially use an external OAuth Provider such as Facebook.
My question is: what is the exact flow to authorize the individual REST call? What should I expect on the server side for each call and what I should check with the external provider?
With OAuth1 I knew that the client sent the token with all the signed request, but with Oauth2 I think not so, I imagine that if a token is not signed is not trusted and therefore I do not think this is the flow.
-
Jeff Wu almost 12 yearsI believe the question is for how to develop his own Oauth2 provider using the play framework, not integrate with third party Oauth2 providers.
-
Marco almost 12 years@JeffWu you are right. I would like to implement a general Oauth2 flow for service authorization, so I would be aware from using third party library if it is not "standard". The final destination is to develeop my own the Oauth2 provider.
-
HalR almost 11 yearsThis is the type of response that should be in a comments, not an answer. You should answer a few questions and get upvotes and get some rep on here. Its pretty engaging.
-
user9869932 almost 11 yearsOk, It try modifying the answer... Thanks