com.gu.googleauth
Members list
Packages
Type members
Classlikes
When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication sequence that we initiated, and not a forged redirect. Rather than use a nonce, we use a signed session id in a short-lifetime Json Web Token, allowing us to cope better with concurrent authentication requests from the same browser session.
When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication sequence that we initiated, and not a forged redirect. Rather than use a nonce, we use a signed session id in a short-lifetime Json Web Token, allowing us to cope better with concurrent authentication requests from the same browser session.
"One good choice for a state token is a string of 30 or so characters constructed using a high-quality random-number generator. Another is a hash generated by signing some of your session state variables with a key that is kept secret on your back-end."
The design here is partially based on a IETF draft for "Encoding claims in the OAuth 2 state parameter ...": https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
Value parameters
- secretsProvider
- signatureAlgorithm
-
defaults to a sensible value, but you can consider using AntiForgeryChecker#signatureAlgorithmFromPlay
Attributes
- Companion
- object
- Supertypes
-
trait Serializabletrait Producttrait Equalstrait Loggingclass Objecttrait Matchableclass AnyShow all
Attributes
- Companion
- class
- Supertypes
-
trait Producttrait Mirrorclass Objecttrait Matchableclass Any
- Self type
-
AntiForgeryChecker.type
Attributes
- Companion
- class
- Supertypes
-
class Objecttrait Matchableclass Any
- Self type
-
AuthAction.type
This action ensures that the user is authenticated and their token is valid. Is a user is not logged in or their token has expired then they will be authenticated.
This action ensures that the user is authenticated and their token is valid. Is a user is not logged in or their token has expired then they will be authenticated.
The AuthenticatedRequest will always have an identity.
Value parameters
- loginTarget
-
The target that should be redirected to in order to carry out authentication
Attributes
- Companion
- object
- Supertypes
Attributes
- Supertypes
-
class Objecttrait Matchableclass Any
- Self type
-
AuthenticatedRequest.type
Attributes
- Companion
- object
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
Attributes
- Companion
- class
- Supertypes
-
trait Producttrait Mirrorclass Objecttrait Matchableclass Any
- Self type
-
DiscoveryDocument.type
Attributes
- Companion
- object
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
Attributes
- Companion
- object
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
Attributes
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
Attributes
- Supertypes
Attributes
- Supertypes
-
class Objecttrait Matchableclass Any
- Self type
-
GoogleAuth.type
The configuration class for Google authentication
The configuration class for Google authentication
Value parameters
- antiForgeryChecker
-
configuration for the checks that ensure the OAuth callback can't be forged
- clientId
-
The ClientID from the developer dashboard
- clientSecret
-
The client secret from the developer dashboard
- domains
-
An optional list of domains to restrict login to (e.g. guardian.co.uk)
- enforceValidity
-
A boolean indicating whether you want a user to be re-authenticated when their session expires
- maxAuthAge
-
An optional duration after which you want a user to be prompted for their password again
- prompt
-
An optional space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent
- redirectUrl
-
The URL to return to after authentication has completed
- twoFactorAuthChecker
-
only allow users to authenticate if they have 2FA enabled
Attributes
- Companion
- object
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
Attributes
- Companion
- class
- Supertypes
-
trait Producttrait Mirrorclass Objecttrait Matchableclass Any
- Self type
-
GoogleAuthConfig.type
Attributes
- Supertypes
-
class Exceptionclass Throwabletrait Serializableclass Objecttrait Matchableclass AnyShow all
Attributes
- Supertypes
-
class Objecttrait Matchableclass Any
- Self type
-
GoogleAuthFilters.type
The Directory API can tell you what groups (ie Google Group) a user is in.
The Directory API can tell you what groups (ie Google Group) a user is in.
You can use a Service Account to access the Directory API (in fact, non-Service access, ie web-user, doesn't seem to work?). The Service Account needs the following scope: https://www.googleapis.com/auth/admin.directory.group.readonly - note that if you're using TwoFactorAuthChecker it requires a different scope: https://www.googleapis.com/auth/admin.directory.user.readonly
So long as you have the Service Account certificate as a string, you can easily make an instance of com.google.auth.oauth2.ServiceAccountCredentials with ServiceAccount.credentialsFrom(java.lang.String).
Value parameters
- impersonatedUser
-
a separate domain-user account email address (eg '[email protected]'), the email address of the user the application will be impersonating when making calls.
Attributes
- Supertypes
-
class Objecttrait Matchableclass Any
Attributes
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
Attributes
- Companion
- object
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
Attributes
- Supertypes
-
trait Loggingclass Objecttrait Matchableclass Any
Attributes
- Supertypes
-
trait Singletontrait Producttrait Mirrortrait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
- Self type
-
ServiceAccountHelper.type
Attributes
- Companion
- object
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
Uses the isEnrolledIn2Sv
field on https://developers.google.com/admin-sdk/directory/reference/rest/v1/users to check the 2FA status of a user.
Uses the isEnrolledIn2Sv
field on https://developers.google.com/admin-sdk/directory/reference/rest/v1/users to check the 2FA status of a user.
Value parameters
- googleCredentials
-
must have read-only access to retrieve a User using the Admin SDK Directory API
Attributes
- Supertypes
-
class Objecttrait Matchableclass Any
Attributes
- Supertypes
-
class Objecttrait Matchableclass Any
- Known subtypes
-
class AuthAction[A]trait Filters
Attributes
- Companion
- object
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all
Attributes
- Companion
- class
- Supertypes
-
trait Producttrait Mirrorclass Objecttrait Matchableclass Any
- Self type
-
UserIdentity.type
Attributes
- Companion
- object
- Supertypes
-
trait Serializabletrait Producttrait Equalsclass Objecttrait Matchableclass AnyShow all