Securing REST API on Play framework and OAuth2

scala oauth playframework oauth-2.0 playframework-2.0

20,748

Solution 1

You could use a module called SecureSocial.

https://github.com/jaliss/securesocial/

This one is quite refined and many people in Play community seem to be aware/using this module.

For authorization might be useful. https://github.com/schaloner/deadbolt-2/

For end to end scala stuff, https://github.com/t2v/play20-auth

Solution 2

I ported Apache Amber to Play2 Scala, here is the link: https://github.com/cleanyong/oauth2play2scala

The reason to port Apache Amber is:

it been tested
better than home made
it fit Play2 Scala API
easy to use
not intrusive

If you want to setup oauth2 server on your site, you can try use my port. It has document.

Solution 3

Basically, the standard flow is the following:

on each request, check in the cookie ("session" in the Play! dialect) if it contains an id
if not, ask the user to authenticate with the provider (Facebook or something else)
If ok, the provider will return an id, save this id in your persistence system (registration), and in the current cookie/session
on the next requests, check if the id exists in the cookie/session and corresponds to an existing user in your persistence system
To "logout", just clear the cookie/session

If you want more details, just ask :-)

Solution 4

OAuth is an Authorization Protocol, so if you're looking at a Authentication Solution, this might not be the one.

You're question saying the consumer of the API will be various application. This lead to 2 scenarios,

 1. Where there is no end user involved (grant_type: client_credential)  
 2. Where end-user can consume these APIs on multiple Application (Owned by your Org) (grant_type: implicit/password)
 3. Where end-user can consume these APIs via third Party Applications.(authrization_code)

To support OAuth Eco-System you need a Key Management System. To,

Generate Key/Secret for Apps.
Generating AccessToken/Refresh_token/authorization_code

now coming to endpoint you would have to expose,

3-Legged OAuth
GET     /authorize  authorize{entry point/ initiate oauth}  
    Sample Call: http://YourAPIService.com/authorize?response_type=code&client_id=GG1IbStzH45ajx9cEeILqjFt&scope=READ&redirect_uri=www.google.com

    GET     /login  login (Call Page for login App, 302 redirected from /authorize)     
Sample Call: http://YourAPIService.com/v1/oauth20/login?response_type=code&client_id=GG1IbStzH45ajx9cEeILqjFt&scope=READ&redirect_uri=www.google.com

    POST    /dologin    consentPage     http://YourAPIService.com/dologin 
    Submit the credential, On success, render the application page 

    POST    /grantpermission    consentSubmission   http://YourAPIService.com/grantpermission
Permission has been granted/declined. Send a 302 to generate authorization_code 

    GET      /code          AuthorizationCode {To generate auth code}
    Sample Call: http://YourAPIService.com/code?client_id=GG1IbStzH45ajx9cEeILqjFt&response_type=code&[email protected]&redirect_uri=www.google.com

    POST    /token  GenerateAccessToken     http://YourAPIService.com/token 
Sample call: http://kohls-test.mars.apigee.net/v1/oauth20/token
Header: Authorization: Basic R0cxSWJTdHpINDVhang5Y0VlSUxxalFj its generated with apps Api Key & Secret.
Payload: 
grant_type=authorization_code&scope=x&redirect_uri=www.google.com&code=abc123

Otherwise simplest/robust solution would be, http://apigee.com

You can use existing OAuth ecosystem of Apigee.

Solution 5

I did not try it myself , but how about tuxdna module. As in the github repo it says:

OAuth2 Server using Play! 2.0 Framework

I hope this helps

View more solutions

20,748

Author by

Marco

Updated on July 09, 2022

Comments

Marco almost 2 years

I am developing an application with Play 2.0 and Scala that exposes some REST API. These APIs will be used by different applications, web, mobile or desktop, so the OAuth protocol (OAuth2) seems the most suitable.

Also I would initially use an external OAuth Provider such as Facebook.

My question is: what is the exact flow to authorize the individual REST call? What should I expect on the server side for each call and what I should check with the external provider?

With OAuth1 I knew that the client sent the token with all the signed request, but with Oauth2 I think not so, I imagine that if a token is not signed is not trusted and therefore I do not think this is the flow.
Jeff Wu almost 12 years

I believe the question is for how to develop his own Oauth2 provider using the play framework, not integrate with third party Oauth2 providers.
Marco almost 12 years

@JeffWu you are right. I would like to implement a general Oauth2 flow for service authorization, so I would be aware from using third party library if it is not "standard". The final destination is to develeop my own the Oauth2 provider.
HalR almost 11 years

This is the type of response that should be in a comments, not an answer. You should answer a few questions and get upvotes and get some rep on here. Its pretty engaging.
user9869932 almost 11 years

Ok, It try modifying the answer... Thanks