Type Members

1.  case class AntiForgeryChecker(secretsProvider: SnapshotProvider, signatureAlgorithm: SignatureAlgorithm = HS256, sessionIdKeyName: String = "play-googleauth-session-id") extends Logging with Product with Serializable

   When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication sequence that we initiated, and not a forged redirect.

   When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication sequence that we initiated, and not a forged redirect. Rather than use a nonce, we use a signed session id in a short-lifetime Json Web Token, allowing us to cope better with concurrent authentication requests from the same browser session.

   "One good choice for a state token is a string of 30 or so characters constructed using a high-quality random-number generator. Another is a hash generated by signing some of your session state variables with a key that is kept secret on your back-end." - https://developers.google.com/identity/protocols/OpenIDConnect#createxsrftoken

   The design here is partially based on a IETF draft for "Encoding claims in the OAuth 2 state parameter ...": https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01

   secretsProvider

   see https://github.com/guardian/play-secret-rotation

   signatureAlgorithm

   defaults to a sensible value, but you can consider using AntiForgeryChecker#signatureAlgorithmFromPlay

2.  class AuthAction[A] extends ActionBuilder[UserIdentityRequest, A] with ActionRefiner[Request, UserIdentityRequest] with UserIdentifier

   This action ensures that the user is authenticated and their token is valid.

   This action ensures that the user is authenticated and their token is valid. Is a user is not logged in or their token has expired then they will be authenticated.

   The AuthenticatedRequest will always have an identity.

3.  case class DiscoveryDocument(authorization_endpoint: String, token_endpoint: String, userinfo_endpoint: String) extends Product with Serializable
4.  case class Error(errors: Seq[ErrorInfo], code: Int, message: String) extends Product with Serializable
5.  case class ErrorInfo(domain: String, reason: String, message: String) extends Product with Serializable
6.  case class FilterExemption(path: String) extends Product with Serializable
7.  trait Filters extends UserIdentifier with Logging
8.  case class GoogleAuthConfig(clientId: String, clientSecret: String, redirectUrl: String, domains: List[String], maxAuthAge: Option[Duration] = GoogleAuthConfig.defaultMaxAuthAge, enforceValidity: Boolean = GoogleAuthConfig.defaultEnforceValidity, prompt: Option[String] = GoogleAuthConfig.defaultPrompt, antiForgeryChecker: AntiForgeryChecker) extends Product with Serializable

   The configuration class for Google authentication

   The configuration class for Google authentication

   clientId

   The ClientID from the developer dashboard

   clientSecret

   The client secret from the developer dashboard

   redirectUrl

   The URL to return to after authentication has completed

   domains

   An optional list of domains to restrict login to (e.g. guardian.co.uk)

   maxAuthAge

   An optional duration after which you want a user to be prompted for their password again

   enforceValidity

   A boolean indicating whether you want a user to be re-authenticated when their session expires

   prompt

   An optional space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent

   antiForgeryChecker

   configuration for the checks that ensure the OAuth callback can't be forged

9.  class GoogleAuthException extends Exception
10.  class GoogleGroupChecker extends AnyRef

    The Directory API can tell you what groups (ie Google Group) a user is in.

    The Directory API can tell you what groups (ie Google Group) a user is in.

    You can use a Service Account to access the Directory API (in fact, non-Service access, ie web-user, doesn't seem to work?). The Service Account needs the following scope: https://www.googleapis.com/auth/admin.directory.group.readonly

    You also need a separate domain user account (eg [email protected]), which will be 'impersonated' when making the calls.

11.  case class GoogleServiceAccount(email: String, privateKey: PrivateKey, impersonatedUser: String) extends Product with Serializable

    A Service Account calls Google APIs on behalf of your application instead of an end-user.

    A Service Account calls Google APIs on behalf of your application instead of an end-user. https://developers.google.com/identity/protocols/OAuth2#serviceaccount

    You can create a service account in the Google Developers Console:

    https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount

    email

    email address of the Service Account

    privateKey

    the Service Account's private key - from the P12 file generated when the Service Account was created

    impersonatedUser

    the email address of the user the application will be impersonating

12.  case class JsonWebToken(jwt: String) extends Product with Serializable
13.  case class JwtClaims(iss: String, sub: String, azp: String, email: String, at_hash: String, email_verified: Boolean, aud: String, hd: Option[String], iat: Long, exp: Long) extends Product with Serializable
14.  trait LoginSupport extends Logging
15.  case class Token(access_token: String, token_type: String, expires_in: Long, id_token: String) extends Product with Serializable
16.  trait UserIdentifier extends AnyRef
17.  case class UserIdentity(sub: String, email: String, firstName: String, lastName: String, exp: Long, avatarUrl: Option[String]) extends Product with Serializable
18.  case class UserInfo(gender: Option[String], sub: Option[String], name: String, given_name: String, family_name: String, profile: Option[String], picture: Option[String], email: String, locale: String, hd: Option[String]) extends Product with Serializable