mohiva/play-silhouette

Silhouette is an authentication library for Play Framework applications that supports several authentication methods, including OAuth1, OAuth2, OpenID, Credentials or custom authentication schemes.

Aidar

@SunPj

Oh sorry I didn't see that you need Silhouette 7.0.0. I hope I will have some free time to update my sample

Victor Paraschiv

@vicpara

@SzymonSmykala You can check out my sample project https://github.com/SunPj/silhouette-vuejs-app

sbt seems to fail loading this project. Did anyone try to run it recently ?

Aidar

@SunPj

@vicpara I saw git issue your created. It's due to using openjdk 14.0.1 try version openjdk version "1.8.0_242" it works fine. Anyway I will check it using 14 when I have some free time

gobandoGH

@gobandoGH

Hi, I am working a Silhouette based app that uses Cookies and JWT for authentication. CSFR filter are disable for JWT endpoints by the nocsfr tag.
Using Postman for testing, JWT is not authenticating in Silhouette secure endpoints leading to execution of the OnNotAuthenticated method in CustomerSecureErrorHandler class
What might I being doing wrong ?
Thank you

Aidar

@SunPj

Try to set Cookies header implicitly when using Postman

Victor Paraschiv

@vicpara

@vicpara I saw git issue your created. It's due to using openjdk 14.0.1 try version openjdk version "1.8.0_242" it works fine. Anyway I will check it using 14 when I have some free time

Thank you for clarifying. I tried to investigate myself but got stuck.

gobandoGH

@gobandoGH

@SunPj , thank you. Could you please provide an example of that ?

gobandoGH

@gobandoGH

@SunPj : Cookie authentication works fine. The issue arises only with JWT authentication of Silhouette endpoints.

Aidar

@SunPj

@vicpara Did you manage to get it working?

@gobandoGH It worked for me once I set Cookies header implicitly. (open headers tab in postman and set Cookie header using your cookies from browser). Does it make sense?

gobandoGH

@gobandoGH

@SunPj : JWT endpoints are intended for use from a Mobile phone. Works fine for unsecure endpoints, but not for secure ones. Cookies seem not having role here.
Postman returns 200 OK message, but Silhouette remain protecting the endpoint and fails with an authentication error.

Christian Kaps

@akkie

@gobandoGH have you enabled debug logging?

gobandoGH

@gobandoGH

@akkie : From Play documentation it follows that CSRF check arise when executing a POST method with an authorization header, both conditions set on the current JWT authentication issue.
Postman 403 Forbidden messages might be explained because no Cookie is provided in the request.
Disabling the CSRF filter adding nocsrf before the route, makes Postman to reply a 200 Ok message.
Enabling the logger level to TRACE in the logback file, provide the following:
[trace] p.a.m.PlayBodyParsers - Parsing AnyContent as json
[trace] p.a.m.ActionBuilder

KaTeX parse error: Can't use function '$' in math mode at position 5: anon$̲9 - Invoking ac…: anon$9 - Invoking action with request: POST /paymentToken
User not authenticated!
[trace] p.filters.CSRF - [CSRF] No check necessary
[trace] p.a.m.ActionBuilder

anon$9 - Invoking action with request: GET /signIn

Stuck here!

gobandoGH

@gobandoGH

JWT authentication working. Had a setting problem in JWT authenticator configuration.
Thank you

Glenn Liwanag

@nogurenn

Is there something like a silhouette-core module I can use for non-play projects?

Christian Kaps

@akkie

@nogurenn Yes https://github.com/minutemen/silhouette

But, work in progress.

Glenn Liwanag

@nogurenn

Nice! :D

@akkie is there any way we can help out there?

Christian Kaps

@akkie

It would be great if you can test the lib in your project. The APIs for the existing code are feature complete. It would be great if you could test if they work in a non Play context.

Which kind of Scala framework do you plan to use with Silhouette?

Glenn Liwanag

@nogurenn

Oh, late reply sorry. I wanted to see if I can put together something with akka-http or scalatra. silhouette's apis that include a lot of auth providers out of the box is very good

some other existing libraries don't, for example, include jwt auth out of the box

Matthew Maxwell

@maxwellmattryan

Hello everybody,

I'm trying to implement some incredibly basic JWT authentication for site admins (there are no users). I've followed along with the most recent example projects I can find, but even doing this still results in some errors. Play is not able to instantiate my SilhouetteModule because it cannot find valid constructors for it? Solutions say to add environment and configuration to the constructor but this doesn't work either. Does anyone have any ideas?

Naftoli Gugenheim

@nafg

that's a little vague

If you're trying something and getting a compilation error please post the exact code that's causing it and the exact error

Matthew Maxwell

@maxwellmattryan

Error is this ... Module [modules.SilhouetteModule] cannot be instantiated., which is pretty vague already. My module looks more or less like this

Christian Kaps

@akkie

Could you please post the complete stack trace?

Matthew Maxwell

@maxwellmattryan

play.api.PlayException: No valid constructors[Module [modules.SilhouetteModule] cannot be instantiated.]
        at play.api.inject.Modules$.$anonfun$constructModule$5(Module.scala:173)
        at scala.Option.getOrElse(Option.scala:201)
        at play.api.inject.Modules$.constructModule(Module.scala:173)
        at play.api.inject.Modules$.$anonfun$locate$4(Module.scala:138)
        at scala.collection.StrictOptimizedIterableOps.map(StrictOptimizedIterableOps.scala:99)
        at scala.collection.StrictOptimizedIterableOps.map$(StrictOptimizedIterableOps.scala:86)
        at scala.collection.immutable.HashSet.map(HashSet.scala:34)
        at play.api.inject.Modules$.locate(Module.scala:133)
        at play.api.inject.guice.GuiceableModule$.loadModules(GuiceInjectorBuilder.scala:299)
        at play.api.inject.guice.GuiceApplicationBuilder$.$anonfun$$lessinit$greater$default$9$1(GuiceApplicatio
nBuilder.scala:36)
        at play.api.inject.guice.GuiceApplicationBuilder.applicationModule(GuiceApplicationBuilder.scala:114)
        at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:200)
        at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:155)
        at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
        at play.core.server.DevServerStart$$anon$1.$anonfun$reload$3(DevServerStart.scala:190)
        at play.utils.Threads$.withContextClassLoader(Threads.scala:22)
        at play.core.server.DevServerStart$$anon$1.reload(DevServerStart.scala:182)
        at play.core.server.DevServerStart$$anon$1.get(DevServerStart.scala:142)
        at play.core.server.AkkaHttpServer.handleRequest(AkkaHttpServer.scala:301)
        at play.core.server.AkkaHttpServer.$anonfun$createServerBinding$1(AkkaHttpServer.scala:191)
        at akka.stream.impl.fusing.MapAsync$$anon$30.onPush(Ops.scala:1285)
        at akka.stream.impl.fusing.GraphInterpreter.processPush(GraphInterpreter.scala:541)
        at akka.stream.impl.fusing.GraphInterpreter.execute(GraphInterpreter.scala:423)
        at akka.stream.impl.fusing.GraphInterpreterShell.runBatch(ActorGraphInterpreter.scala:625)
        at akka.stream.impl.fusing.GraphInterpreterShell$AsyncInput.execute(ActorGraphInterpreter.scala:502)
        at akka.stream.impl.fusing.GraphInterpreterShell.processEvent(ActorGraphInterpreter.scala:600)
        at akka.stream.impl.fusing.ActorGraphInterpreter.akka$stream$impl$fusing$ActorGraphInterpreter$$processE
vent(ActorGraphInterpreter.scala:769)
        at akka.stream.impl.fusing.ActorGraphInterpreter$$anonfun$receive$1.applyOrElse(ActorGraphInterpreter.sc
ala:784)
        at akka.actor.Actor.aroundReceive(Actor.scala:535)
        at akka.actor.Actor.aroundReceive$(Actor.scala:533)
        at akka.stream.impl.fusing.ActorGraphInterpreter.aroundReceive(ActorGraphInterpreter.scala:691)
        at akka.actor.ActorCell.receiveMessage(ActorCell.scala:575)
        at akka.actor.ActorCell.invoke(ActorCell.scala:545)
        at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:270)
        at akka.dispatch.Mailbox.run(Mailbox.scala:231)
        at akka.dispatch.Mailbox.exec(Mailbox.scala:243)
        at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
        at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1020)
        at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1656)
        at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1594)
        at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:183)

Christian Kaps

@akkie

@maxwellmattryan Sorry, no idea what can cause the issue? Could you post your complete module?

Wally Baggaley

@walbag

Based on the above conversation, it seems that Bearer token requests using the Access Token as the value are not support by Silhouette. There is mention above about using an Access Token to get a JWT token from Silhouette, but for our project, the client code is greatly simplified if the client could pass an Access Token as a bearer without having to utilize the JWT token. There is another factors for this aside from the avoidance of CSRF and having to configure CORS, which is that the client will need to interface with several other REST APIs for other sights. This simplifies code for the client. If the Access Token has the claims necessary to determine the authorization and we were to verify the signature for those authorization claims, it seems to make more sense in our situation to simply use the Bearer Access Token for authorization.

As it's all over secure channels, this seems to be a valid idea. But I am wondering if there are any problems with this idea or if it is something others have used or would use. If so, we may be interested in adding this to Silhouette.

Wally Baggaley

@walbag

Anyone available to comment? @akkie ? others?

Wally Baggaley

@walbag

After rereading the OIDC spec, I do note that the format of Access Tokens is not specified and that verification is specified as using an at_hash field, if present, in the ID token. Though not part of the spec, it is customary to use a JWT for an Access Token, making it possible to validate the Access Token directly with a known public key, which is the intent of this change.

Wally Baggaley

@walbag

Just to clarify, Play would be the resource server in this case.

gobandoGH

@gobandoGH

JWT authentication is fully supported in Silhouette. There are plenty of examples and projects using JWT token. I just have used myself in a project that combines Cookie and JWT authentication in the same app without issues.
Silhouette provides the ability to secure endpoints by using several authentication methods which save a lot of boilerplate code in doing it so. @maxwellmattryan: I suggest to carefully check your code against Silhouette documentation. I have found this kind of problems coming from configuration errors most of the time.

Wally Baggaley

@walbag

Well, I ended up creating a RequestProvider (as authentication was required by the framework -- though from the outside it might seem this could be avoided) and an Authorization for this -- in case someone else comes across this and needs the same at least these pointers might help. Thanks!

Johannes Ebbighausen

@johannes-ebbighausen

Hi,
I'm copying from the vue-js starter. I'm using a SessionAuthenticator, but after SignOut the old session is still valid and able to access a secured endpoint. What am I missing?

Andrey Ladniy

@AndreyLadniy

Hi, what is the main reason for storing loginInfo against userId in JWTAuthenticator? If several login forms used (password, phone, sosial accounts) by one user, it doesn't matter how he logged in. It is enough to save its ID in the token.

Andrey Ladniy

@AndreyLadniy

As I understand it correctly, loginInfois used to get identity for every request. WHY?! JWT is designed to stateless server side, it can store frequently used information, including the ID in contrast for simple unique tokens.

Andrey Ladniy

@AndreyLadniy

If I try implement one service as authentication service that returns JWT, the second service as a resource service without any authentication info and only depends on the JWT information, it can not be implemented with play-silhouette?

David Bouyssié

@david-bouyssie

Hi there. I would like to define my Identity based class as a value class (extends AnyVal). But it's not possible since the Identity trait doesn't extend Any. Do you think this could be changed in a future version?

totibi

@totibi

Hello.
Is there any examples Single-sign-on authentication (kerber) povered by silhouette? Application should recognise person somehow by kerberos, we have they logins in base, but how extract information and pass along is not clear. We allready using silhoutte for auth, but looking for "silhoutte kerberos" there is nothing... Can't get why

David Bouyssié

@david-bouyssie

@totibi I have never used Kerberos and I'm not sure to understand your issue but I think you can easilly implement your own DAO: https://github.com/mohiva/play-silhouette-seed/blob/master/app/models/daos/UserDAOImpl.scala

totibi

@totibi

@david-bouyssie thx for answer! I'm really can implement UserDAO, but real issue is: how to get login info provided by kerber to my application and save it on client side.

David Bouyssié

@david-bouyssie

@totibi maybe you can use cookies to serialize some keberos related stuffs, but I fear I'm lacking knowledge in this area to provide appropriate answers

JulianPani

@julian-pani

@AndreyLadniy you can disable the check against the loginInfo and manage the JWT completely stateless. However, therr are some uaes

@AndreyLadniy ... However in somw use cases its useful to save the tokens state, for example to be able to deactivate tokena immediately (instead of waiting for them to expire). Depends on your use case.

Andrey Ladniy

@AndreyLadniy

@julian-pani if I understand correctly , I can't disable disable it

RequestHandlerBuilder

protected def handleAuthentication[B](implicit request: Request[B]): Future[(Option[Either[E#A, E#A]], Option[E#I])] = {
    environment.authenticatorService.retrieve.flatMap {
      // A valid authenticator was found so we retrieve also the identity
      case Some(a) if a.isValid  => environment.identityService.retrieve(a.loginInfo).map(i => Some(Left(a)) -> i)

JulianPani

@julian-pani

@AndreyLadniy I see what you mean.
Maybe other people here can help better, but here are my thoughts.

One idea you could use is to create a custom action that extends SecuredAction and does not require login info... by changing this part in SecuredAction#invokeBlock:

      // An authenticator but no user was found. The request will ask for authentication and the authenticator will be discarded
      case (Some(authenticator), None, _) =>

In a previous job I used two different setups. Sharing in case it helps.
In one setup, I used Silohuette as a "login/auth server" and then other microservices just validated the JWT tokens using a shared key with the login server. The other servers didn't have sillohuette - they used a scala jwt library to decode and validate the tokens using a custom Play action I created.
In another setup, I wasn't expecting high traffic, so I implemented the "login/auth service" as a REST api and had a sort of proxy that validated every external request against the auth server before redirecting to the destination microservice.

Where communities thrive

People

Repo info

Activity