Silhouette is an authentication library for Play Framework applications that supports several authentication methods, including OAuth1, OAuth2, OpenID, Credentials or custom authentication schemes.
@alternegro
So judging from the 4.0 to 5.0 Migration guide, It looks like the changes introduced in Silhouette are really just to keep up with Play, rather than to change Silhouette itself. Does this mean that the 4.0 documentation and the Migration Guide have all the info required to get up and running, or I'm I better of working from the the seed?
@alternegro Do you migrate an existing app? If so, to which version of Play?
@akkie
My silhouette.conf settings is below.
Should we change from secureCookie false to true (even if I use JWT..) ?
# CSRF state item handler settings
csrfStateItemHandler.cookieName="OAuth2State"
csrfStateItemHandler.cookiePath="/"
csrfStateItemHandler.secureCookie=false // Disabled for testing on localhost without SSL, otherwise cookie couldn't be set
csrfStateItemHandler.httpOnlyCookie=true
csrfStateItemHandler.expirationTime=5 minutesThis will not work with your scenario!
Oh.. I only want to get code from the provider and publish login event on silhouette middleware..
You schould completely disable the state handler. This means, do not inject it into the OAuth2 provider. If Silhouette initiates the OAuth2 flow, then it sends a token in the OAuth2 state param. And in the second step it validates the token. In your case the first step is done by your client app. So Silhouette cannot validate the token, because it does not exists.
If Silhouette initiates the OAuth2 flow, then it sends a token in the OAuth2 state param. And in the second step it validates the token.
Thank you.
So, should I change like the following way.
# CSRF state item handler settings
csrfStateItemHandler.cookieName="OAuth2State"
csrfStateItemHandler.cookiePath="/"
csrfStateItemHandler.secureCookie=false // Disabled for testing on localhost without SSL, otherwise cookie couldn't be set
csrfStateItemHandler.httpOnlyCookie=false
csrfStateItemHandler.expirationTime=5 minutes
I changed
SilhouetteModule.scalalike below. @Provides
def provideSocialStateHandler(
@Named("social-state-signer") signer: Signer,
csrfStateItemHandler: CsrfStateItemHandler): SocialStateHandler = {
// new DefaultSocialStateHandler(Set(csrfStateItemHandler), signer)
new DefaultSocialStateHandler(Set(), signer)
}
And I request from my vue.js code like below, and got an error.
const code = this.$route.query.code
const scope = this.$route.query.scope
const targetUrl = `http://localhost:9000/authenticate/google`
const params = {
code: code,
scope: scope
}
axios.post(targetUrl, params, (response) => {
console.log(response)
}, (error) => {
console.error(error)
})com.mohiva.play.silhouette.impl.exceptions.UnexpectedResponseException: [Silhouette][google] Got unexpected response `{
"error": "invalid_grant",
"error_description": "Bad Request"
}`; status code: 400
You shouldn't POST to the authentication endpoint. The redirect URL you define in the Google OAuth2 setting page, should be the Silhouette endpoint and not your JS app. Google will call the Silhouette endpoint with all the required params and then Silhouette will redirect to your JS app as mentioned in the previous post.
Thank you, I succeeded sign in,
from vue.js https://accounts.google.com/o/oauth2/auth?response_type=code
and redirect to localhost:9000/authenticate/google from the provider.
and I can go to the Vue.js project like the following way, but how can I pass the token…? currently I do by queryString like ?token=…….
result <- silhouette.env.authenticatorService.embed(
token,
Redirect(s"http://localhost:3000?token=${token}")Redirect is a Play Result implementation. You should have the same API to send cookies, headers, ...
I am migrating a Silhouette based app from 5.0 to 6,1 and got the following error with PasswordInfoDAO implementation:
CreationException: Unable to create injector, see the following errors: 1) No implementation for scala.reflect.ClassTag<com.mohiva.play.silhouette.api.util.PasswordInfo> was bound. while locating scala.reflect.ClassTag<com.mohiva.play.silhouette.api.util.PasswordInfo> for the 2nd parameter of models.daos.PasswordInfoDAO.<init>(PasswordInfoDAO.scala:23) at modules.SilhouetteModule.configure(SilhouetteModule.scala:83) (via modules: com.google.inject.util.Modules$OverrideModule -> modules.SilhouetteModule) 1 error
I understand the solution implies a Guice Provider method definition, but don´t know where and how to implement it.
Please help
CreationException: Unable to create injector, see the following errors: 1) No implementation for scala.reflect.ClassTag<com.mohiva.play.silhouette.api.util.PasswordInfo> was bound. while locating scala.reflect.ClassTag<com.mohiva.play.silhouette.api.util.PasswordInfo> for the 2nd parameter of models.daos.PasswordInfoDAO.<init>(PasswordInfoDAO.scala:23) at modules.SilhouetteModule.configure(SilhouetteModule.scala:83) (via modules: com.google.inject.util.Modules$OverrideModule -> modules.SilhouetteModule) 1 error
I understand the solution implies a Guice Provider method definition, but don´t know where and how to implement it.
Please help
Hi @akkie ,
I followed the migration guide but running into another issue.
I removed the bind and added the provider
override def configure(): Unit = {
...
// set your own Environment [Type]
bind[Silhouette[DefaultEnv]].to[SilhouetteProvider[DefaultEnv]]
// @provides provideEnvironment [Implementation]
bind[IdentityService[User]].to[UserDAO]
// @provides provideAuthenticatorService
bind[AuthenticatorRepository[JWTAuthenticator]].to[AuthenticatorDAO]
}
@Provides
def providePasswordDAO(dbConfigProvider: DatabaseConfigProvider,
loginDao: LoginDAO): PasswordDAO =
new PasswordDAO(dbConfigProvider, loginDao)The project compiles but the AuthInfoRepository provider doesn't seem to find the DelegableAuthInfoDAO[PasswordInfo] provider
/**
* Provides the auth info repository.
*
* @param passwordInfoDAO The implementation of the delegable password auth info DAO.
* @return The auth info repository instance.
*/
@Provides
def provideAuthInfoRepository(
passwordInfoDAO: DelegableAuthInfoDAO[PasswordInfo]): AuthInfoRepository =
new DelegableAuthInfoRepository(passwordInfoDAO)It throws the below error
Unexpected exception
CreationException: Unable to create injector, see the following errors:
1) No implementation for com.mohiva.play.silhouette.persistence.daos.DelegableAuthInfoDAO<com.mohiva.play.silhouette.api.util.PasswordInfo> was bound.
while locating com.mohiva.play.silhouette.persistence.daos.DelegableAuthInfoDAO<com.mohiva.play.silhouette.api.util.PasswordInfo>
for the 1st parameter of modules.SilhouetteModule.provideAuthInfoRepository(SilhouetteModule.scala:182)
at modules.SilhouetteModule.provideAuthInfoRepository(SilhouetteModule.scala:182) (via modules: com.google.inject.util.Modules$OverrideModule -> modules.SilhouetteModule)I tried to force the connection using a @Named decorator
@Provides
@Named("password-repository")
def providePasswordDAO(dbConfigProvider: DatabaseConfigProvider,
loginDao: LoginDAO): PasswordDAO =
new PasswordDAO(dbConfigProvider, loginDao)against the AuthInfoRepository provider but it's the same issue
@Provides
def provideAuthInfoRepository(
@Named("password-repository")
passwordInfoDAO: DelegableAuthInfoDAO[PasswordInfo]): AuthInfoRepository =
new DelegableAuthInfoRepository(passwordInfoDAO)please see the project at the below location, sorry, I am not familiar with Guice
https://github.com/CollegeBoreal/play-silhouette-slick-mysql
Thanks
Hey all, I'm trying to get the JWTAuthenticator working for my site in Play, I've started from the
play-silhouette-seed and managed to get JWT sent back to the client in a Response Header called X-Auth-Token, however when I'm trying to visit other pages on the site, those pages don't send the token back to the server, so the user always gets redirected to log in again. I've found this problem in the archive and implemented it to save the token as a cookie, but still doesn't work: https://gitter.im/mohiva/play-silhouette/archives/2015/05/30
Sure, so I have Play do the auth for SignIn/SignUp, then redirect to an Angular app sending the token in a
X-Auth-Token header. From there on out, the Angular app holds onto the token and sends it for all requests. Now maybe this is a minor nitpick, but when users navigate back to the Play endpoint, it will never detect that they are logged in, because I can't figure out how to get the webpages to send the X-Auth-Token header on all requests (if it exists in cookies).
With your current architecture, I suggest to use the cookie authenticator. You don't need the JWT authenticator for a SPA. If the SPA is on the same domain as your Play app? If so, the cookie will be automatically sent with every request to your backend and authenticates it against Silhouette. If you need to use the JWT, then you should implement the SignIn/SignUp forms also in Angular. So that Play serves only your backend. In this case you can store the issued JWT on client side (Cookie, Session-, Local-Storage) and send it with every request (in the X-Auth-Token header) to your backend. But even with this architecture, I would use the Cookie authenticator because with this, you don't need to send the JWT in the header on every request. As said before, with the cookie approach, it will be automatically send to your backend on every request.
This is a React app which uses Play as backend. It uses exactly the same (cookie authenticator) approach and it works like a charm.
This is an old Angular 1 app which uses the JWT approach.
Thank
(apparently Gitter sends a message in-progress when on the mobile ui and locking a phone :/ )
Thanks for the info! :D
Hi all, I am working an app based on Silhouette Seed Template that use CookieAuthenticator. I need to extend current functionality to mobile clients.
Would CookieAuthenticator be a good choice for mobile ? should I consider another Authenticator as JWT for this purpose ?
Thank you!
As noted in a previous post. In the current version of Silhouette, only one authenticator can be used per action. If you have different actions for your mobile app, you can use whatever authenticatior you want. If the actions should be used for multiple apps, then it's a bit more complicated.
For apps I would personally use the REST API. I have not done this or looked it to it but, seems to be the industry standard. https://github.com/datalek/silhouette-rest-seed
I get close but my application starts to blow all kind of IoC errors
Will look into it this afternoon
thanks in advance!
A wrong var that has worked with an old buildpack but not with a newer version
@akkie , @AlbaroPereyra Thank you for your response
Yes, I intend to keep the App Rest API based.
I have learnt from Auth0 that Cookie Authenticator might be a bit of a trouble because of its stateful condition. Silhouette documentation discourage Cookie Authenticator for mobile as well. As I want to keep the App working for web and mobile, I am thinking of having separate endpoints for authentication, one based on Cookies and other other perhaps on JWT. Share model functionality decoupled form authentication.
Does this approach make sense to you ?
Yes, I intend to keep the App Rest API based.
I have learnt from Auth0 that Cookie Authenticator might be a bit of a trouble because of its stateful condition. Silhouette documentation discourage Cookie Authenticator for mobile as well. As I want to keep the App working for web and mobile, I am thinking of having separate endpoints for authentication, one based on Cookies and other other perhaps on JWT. Share model functionality decoupled form authentication.
Does this approach make sense to you ?