play-v29/com.gu.googleauth/AntiForgeryChecker

AntiForgeryChecker

com.gu.googleauth.AntiForgeryChecker

See theAntiForgeryChecker companion object

case class AntiForgeryChecker(secretsProvider: SnapshotProvider, signatureAlgorithm: SignatureAlgorithm, sessionIdKeyName: String) extends Logging

When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication sequence that we initiated, and not a forged redirect. Rather than use a nonce, we use a signed session id in a short-lifetime Json Web Token, allowing us to cope better with concurrent authentication requests from the same browser session.

"One good choice for a state token is a string of 30 or so characters constructed using a high-quality random-number generator. Another is a hash generated by signing some of your session state variables with a key that is kept secret on your back-end."

https://developers.google.com/identity/protocols/OpenIDConnect#createxsrftoken

The design here is partially based on a IETF draft for "Encoding claims in the OAuth 2 state parameter ...": https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01

Value parameters

secretsProvider: see https://github.com/guardian/play-secret-rotation
signatureAlgorithm: defaults to a sensible value, but you can consider using AntiForgeryChecker#signatureAlgorithmFromPlay

Attributes

Companion: object
Graph
Supertypes: trait Serializable

trait Product

trait Equals

trait Logging

class Object

trait Matchable

class Any
Show all

AntiForgeryChecker

Value parameters

Attributes

Members list

Value members

Concrete methods

Inherited methods

Attributes

Attributes

Inherited fields

Attributes