package googleauth
- Alphabetic
- Public
- Protected
Type Members
- case class AntiForgeryChecker(secretsProvider: SnapshotProvider, signatureAlgorithm: SignatureAlgorithm = HS256, sessionIdKeyName: String = "play-googleauth-session-id") extends Logging with Product with Serializable
When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication sequence that we initiated, and not a forged redirect.
When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication sequence that we initiated, and not a forged redirect. Rather than use a nonce, we use a signed session id in a short-lifetime Json Web Token, allowing us to cope better with concurrent authentication requests from the same browser session.
"One good choice for a state token is a string of 30 or so characters constructed using a high-quality random-number generator. Another is a hash generated by signing some of your session state variables with a key that is kept secret on your back-end." - https://developers.google.com/identity/protocols/OpenIDConnect#createxsrftoken
The design here is partially based on a IETF draft for "Encoding claims in the OAuth 2 state parameter ...": https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
- secretsProvider
see https://github.com/guardian/play-secret-rotation
- signatureAlgorithm
defaults to a sensible value, but you can consider using AntiForgeryChecker#signatureAlgorithmFromPlay
- class AuthAction[A] extends ActionBuilder[UserIdentityRequest, A] with ActionRefiner[Request, UserIdentityRequest] with UserIdentifier
This action ensures that the user is authenticated and their token is valid.
This action ensures that the user is authenticated and their token is valid. Is a user is not logged in or their token has expired then they will be authenticated.
The AuthenticatedRequest will always have an identity.
- case class DiscoveryDocument(authorization_endpoint: String, token_endpoint: String, userinfo_endpoint: String) extends Product with Serializable
- case class Error(errors: Seq[ErrorInfo], code: Int, message: String) extends Product with Serializable
- case class ErrorInfo(domain: String, reason: String, message: String) extends Product with Serializable
- case class FilterExemption(path: String) extends Product with Serializable
- trait Filters extends UserIdentifier with Logging
- case class GoogleAuthConfig(clientId: String, clientSecret: String, redirectUrl: String, domains: List[String], maxAuthAge: Option[Duration] = GoogleAuthConfig.defaultMaxAuthAge, enforceValidity: Boolean = GoogleAuthConfig.defaultEnforceValidity, prompt: Option[String] = GoogleAuthConfig.defaultPrompt, antiForgeryChecker: AntiForgeryChecker) extends Product with Serializable
The configuration class for Google authentication
The configuration class for Google authentication
- clientId
The ClientID from the developer dashboard
- clientSecret
The client secret from the developer dashboard
- redirectUrl
The URL to return to after authentication has completed
- domains
An optional list of domains to restrict login to (e.g. guardian.co.uk)
- maxAuthAge
An optional duration after which you want a user to be prompted for their password again
- enforceValidity
A boolean indicating whether you want a user to be re-authenticated when their session expires
- prompt
An optional space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent
- antiForgeryChecker
configuration for the checks that ensure the OAuth callback can't be forged
- class GoogleAuthException extends Exception
- class GoogleGroupChecker extends AnyRef
The Directory API can tell you what groups (ie Google Group) a user is in.
The Directory API can tell you what groups (ie Google Group) a user is in.
You can use a Service Account to access the Directory API (in fact, non-Service access, ie web-user, doesn't seem to work?). The Service Account needs the following scope: https://www.googleapis.com/auth/admin.directory.group.readonly
You also need a separate domain user account (eg [email protected]), which will be 'impersonated' when making the calls.
- case class GoogleServiceAccount(email: String, privateKey: PrivateKey, impersonatedUser: String) extends Product with Serializable
A Service Account calls Google APIs on behalf of your application instead of an end-user.
A Service Account calls Google APIs on behalf of your application instead of an end-user. https://developers.google.com/identity/protocols/OAuth2#serviceaccount
You can create a service account in the Google Developers Console:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount
email address of the Service Account
- privateKey
the Service Account's private key - from the P12 file generated when the Service Account was created
- impersonatedUser
the email address of the user the application will be impersonating
- case class JsonWebToken(jwt: String) extends Product with Serializable
- case class JwtClaims(iss: String, sub: String, azp: String, email: String, at_hash: String, email_verified: Boolean, aud: String, hd: Option[String], iat: Long, exp: Long) extends Product with Serializable
- trait LoginSupport extends Logging
- case class Token(access_token: String, token_type: String, expires_in: Long, id_token: String) extends Product with Serializable
- trait UserIdentifier extends AnyRef
- case class UserIdentity(sub: String, email: String, firstName: String, lastName: String, exp: Long, avatarUrl: Option[String]) extends Product with Serializable
- case class UserInfo(gender: Option[String], sub: Option[String], name: String, given_name: String, family_name: String, profile: Option[String], picture: Option[String], email: String, locale: String, hd: Option[String]) extends Product with Serializable
Value Members
- object Actions
- object AntiForgeryChecker extends Serializable
- object AuthAction
- object AuthenticatedRequest
- object DiscoveryDocument extends Serializable
- object Error extends Serializable
- object ErrorInfo extends Serializable
- object GoogleAuth
- object GoogleAuthConfig extends Serializable
- object GoogleAuthFilters
- object JwtClaims extends Serializable
- object Token extends Serializable
- object UserIdentity extends Serializable
- object UserInfo extends Serializable