Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jun 22 2020 01:20
    asazernik commented #579
  • Jun 22 2020 01:07
    asazernik edited #579
  • Jun 22 2020 01:01
    asazernik opened #579
  • May 04 2020 11:09

    akkie on gh-pages

    updated site (compare)

  • May 04 2020 10:58

    akkie on gh-pages

    updated site (compare)

  • May 04 2020 10:56

    akkie on gh-pages

    updated site (compare)

  • May 04 2020 10:45

    akkie on master

    Fixed Auth0ProfileParser to get… (compare)

  • May 04 2020 10:45
    akkie closed #578
  • May 04 2020 10:44
    akkie commented #578
  • May 03 2020 03:23
    coveralls commented #578
  • May 03 2020 03:02
    ymotchi opened #578
  • Feb 27 2020 17:45
    rorygraves commented #569
  • Feb 27 2020 16:39

    akkie on gh-pages

    updated site (compare)

  • Feb 27 2020 16:33

    akkie on gh-pages

    updated site (compare)

  • Feb 27 2020 16:30
    akkie closed #569
  • Feb 27 2020 16:30
    akkie commented #569
  • Feb 27 2020 16:28

    akkie on 7.0.0

    (compare)

  • Feb 27 2020 16:25

    akkie on master

    Release version 7.0.0 (compare)

  • Feb 10 2020 19:05
    akkie commented #569
  • Feb 10 2020 19:04

    akkie on 7.0.0-RC1

    (compare)

gobandoGH
@gobandoGH

@akkie : From Play documentation it follows that CSRF check arise when executing a POST method with an authorization header, both conditions set on the current JWT authentication issue.
Postman 403 Forbidden messages might be explained because no Cookie is provided in the request.
Disabling the CSRF filter adding nocsrf before the route, makes Postman to reply a 200 Ok message.
Enabling the logger level to TRACE in the logback file, provide the following:
[trace] p.a.m.PlayBodyParsers - Parsing AnyContent as json
[trace] p.a.m.ActionBuilder

KaTeX parse error: Can't use function '$' in math mode at position 5: anon$̲9 - Invoking ac…: anon$9 - Invoking action with request: POST /paymentToken
User not authenticated!
[trace] p.filters.CSRF - [CSRF] No check necessary
[trace] p.a.m.ActionBuilder
anon$9 - Invoking action with request: GET /signIn

Stuck here!

gobandoGH
@gobandoGH
JWT authentication working. Had a setting problem in JWT authenticator configuration.
Thank you
Glenn Liwanag
@nogurenn
Is there something like a silhouette-core module I can use for non-play projects?
Christian Kaps
@akkie
@nogurenn Yes https://github.com/minutemen/silhouette
But, work in progress.
Glenn Liwanag
@nogurenn
Nice! :D
@akkie is there any way we can help out there?
Christian Kaps
@akkie
It would be great if you can test the lib in your project. The APIs for the existing code are feature complete. It would be great if you could test if they work in a non Play context.
Which kind of Scala framework do you plan to use with Silhouette?
Glenn Liwanag
@nogurenn
Oh, late reply sorry. I wanted to see if I can put together something with akka-http or scalatra. silhouette's apis that include a lot of auth providers out of the box is very good
some other existing libraries don't, for example, include jwt auth out of the box
Matthew Maxwell
@maxwellmattryan

Hello everybody,

I'm trying to implement some incredibly basic JWT authentication for site admins (there are no users). I've followed along with the most recent example projects I can find, but even doing this still results in some errors. Play is not able to instantiate my SilhouetteModule because it cannot find valid constructors for it? Solutions say to add environment and configuration to the constructor but this doesn't work either. Does anyone have any ideas?

nafg
@nafg
that's a little vague
If you're trying something and getting a compilation error please post the exact code that's causing it and the exact error
Matthew Maxwell
@maxwellmattryan
Error is this ... Module [modules.SilhouetteModule] cannot be instantiated., which is pretty vague already. My module looks more or less like this
Christian Kaps
@akkie
Could you please post the complete stack trace?
Matthew Maxwell
@maxwellmattryan
play.api.PlayException: No valid constructors[Module [modules.SilhouetteModule] cannot be instantiated.]
        at play.api.inject.Modules$.$anonfun$constructModule$5(Module.scala:173)
        at scala.Option.getOrElse(Option.scala:201)
        at play.api.inject.Modules$.constructModule(Module.scala:173)
        at play.api.inject.Modules$.$anonfun$locate$4(Module.scala:138)
        at scala.collection.StrictOptimizedIterableOps.map(StrictOptimizedIterableOps.scala:99)
        at scala.collection.StrictOptimizedIterableOps.map$(StrictOptimizedIterableOps.scala:86)
        at scala.collection.immutable.HashSet.map(HashSet.scala:34)
        at play.api.inject.Modules$.locate(Module.scala:133)
        at play.api.inject.guice.GuiceableModule$.loadModules(GuiceInjectorBuilder.scala:299)
        at play.api.inject.guice.GuiceApplicationBuilder$.$anonfun$$lessinit$greater$default$9$1(GuiceApplicatio
nBuilder.scala:36)
        at play.api.inject.guice.GuiceApplicationBuilder.applicationModule(GuiceApplicationBuilder.scala:114)
        at play.api.inject.guice.GuiceBuilder.injector(GuiceInjectorBuilder.scala:200)
        at play.api.inject.guice.GuiceApplicationBuilder.build(GuiceApplicationBuilder.scala:155)
        at play.api.inject.guice.GuiceApplicationLoader.load(GuiceApplicationLoader.scala:21)
        at play.core.server.DevServerStart$$anon$1.$anonfun$reload$3(DevServerStart.scala:190)
        at play.utils.Threads$.withContextClassLoader(Threads.scala:22)
        at play.core.server.DevServerStart$$anon$1.reload(DevServerStart.scala:182)
        at play.core.server.DevServerStart$$anon$1.get(DevServerStart.scala:142)
        at play.core.server.AkkaHttpServer.handleRequest(AkkaHttpServer.scala:301)
        at play.core.server.AkkaHttpServer.$anonfun$createServerBinding$1(AkkaHttpServer.scala:191)
        at akka.stream.impl.fusing.MapAsync$$anon$30.onPush(Ops.scala:1285)
        at akka.stream.impl.fusing.GraphInterpreter.processPush(GraphInterpreter.scala:541)
        at akka.stream.impl.fusing.GraphInterpreter.execute(GraphInterpreter.scala:423)
        at akka.stream.impl.fusing.GraphInterpreterShell.runBatch(ActorGraphInterpreter.scala:625)
        at akka.stream.impl.fusing.GraphInterpreterShell$AsyncInput.execute(ActorGraphInterpreter.scala:502)
        at akka.stream.impl.fusing.GraphInterpreterShell.processEvent(ActorGraphInterpreter.scala:600)
        at akka.stream.impl.fusing.ActorGraphInterpreter.akka$stream$impl$fusing$ActorGraphInterpreter$$processE
vent(ActorGraphInterpreter.scala:769)
        at akka.stream.impl.fusing.ActorGraphInterpreter$$anonfun$receive$1.applyOrElse(ActorGraphInterpreter.sc
ala:784)
        at akka.actor.Actor.aroundReceive(Actor.scala:535)
        at akka.actor.Actor.aroundReceive$(Actor.scala:533)
        at akka.stream.impl.fusing.ActorGraphInterpreter.aroundReceive(ActorGraphInterpreter.scala:691)
        at akka.actor.ActorCell.receiveMessage(ActorCell.scala:575)
        at akka.actor.ActorCell.invoke(ActorCell.scala:545)
        at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:270)
        at akka.dispatch.Mailbox.run(Mailbox.scala:231)
        at akka.dispatch.Mailbox.exec(Mailbox.scala:243)
        at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
        at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1020)
        at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1656)
        at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1594)
        at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:183)
Christian Kaps
@akkie
@maxwellmattryan Sorry, no idea what can cause the issue? Could you post your complete module?
Wally Baggaley
@walbag
Based on the above conversation, it seems that Bearer token requests using the Access Token as the value are not support by Silhouette. There is mention above about using an Access Token to get a JWT token from Silhouette, but for our project, the client code is greatly simplified if the client could pass an Access Token as a bearer without having to utilize the JWT token. There is another factors for this aside from the avoidance of CSRF and having to configure CORS, which is that the client will need to interface with several other REST APIs for other sights. This simplifies code for the client. If the Access Token has the claims necessary to determine the authorization and we were to verify the signature for those authorization claims, it seems to make more sense in our situation to simply use the Bearer Access Token for authorization.
As it's all over secure channels, this seems to be a valid idea. But I am wondering if there are any problems with this idea or if it is something others have used or would use. If so, we may be interested in adding this to Silhouette.
Wally Baggaley
@walbag
Anyone available to comment? @akkie ? others?
Wally Baggaley
@walbag
After rereading the OIDC spec, I do note that the format of Access Tokens is not specified and that verification is specified as using an at_hash field, if present, in the ID token. Though not part of the spec, it is customary to use a JWT for an Access Token, making it possible to validate the Access Token directly with a known public key, which is the intent of this change.
Wally Baggaley
@walbag
Just to clarify, Play would be the resource server in this case.
gobandoGH
@gobandoGH
JWT authentication is fully supported in Silhouette. There are plenty of examples and projects using JWT token. I just have used myself in a project that combines Cookie and JWT authentication in the same app without issues.
Silhouette provides the ability to secure endpoints by using several authentication methods which save a lot of boilerplate code in doing it so. @maxwellmattryan: I suggest to carefully check your code against Silhouette documentation. I have found this kind of problems coming from configuration errors most of the time.
Wally Baggaley
@walbag
Well, I ended up creating a RequestProvider (as authentication was required by the framework -- though from the outside it might seem this could be avoided) and an Authorization for this -- in case someone else comes across this and needs the same at least these pointers might help. Thanks!
Johannes Ebbighausen
@johannes-ebbighausen
Hi,
I'm copying from the vue-js starter. I'm using a SessionAuthenticator, but after SignOut the old session is still valid and able to access a secured endpoint. What am I missing?
Andrey Ladniy
@AndreyLadniy
Hi, what is the main reason for storing loginInfo against userId in JWTAuthenticator? If several login forms used (password, phone, sosial accounts) by one user, it doesn't matter how he logged in. It is enough to save its ID in the token.
Andrey Ladniy
@AndreyLadniy
As I understand it correctly, loginInfois used to get identity for every request. WHY?! JWT is designed to stateless server side, it can store frequently used information, including the ID in contrast for simple unique tokens.
Andrey Ladniy
@AndreyLadniy
If I try implement one service as authentication service that returns JWT, the second service as a resource service without any authentication info and only depends on the JWT information, it can not be implemented with play-silhouette?
David Bouyssié
@david-bouyssie
Hi there. I would like to define my Identity based class as a value class (extends AnyVal). But it's not possible since the Identity trait doesn't extend Any. Do you think this could be changed in a future version?
totibi
@totibi
Hello.
Is there any examples Single-sign-on authentication (kerber) povered by silhouette? Application should recognise person somehow by kerberos, we have they logins in base, but how extract information and pass along is not clear. We allready using silhoutte for auth, but looking for "silhoutte kerberos" there is nothing... Can't get why
David Bouyssié
@david-bouyssie
@totibi I have never used Kerberos and I'm not sure to understand your issue but I think you can easilly implement your own DAO: https://github.com/mohiva/play-silhouette-seed/blob/master/app/models/daos/UserDAOImpl.scala
totibi
@totibi
@david-bouyssie thx for answer! I'm really can implement UserDAO, but real issue is: how to get login info provided by kerber to my application and save it on client side.
David Bouyssié
@david-bouyssie
@totibi maybe you can use cookies to serialize some keberos related stuffs, but I fear I'm lacking knowledge in this area to provide appropriate answers
JulianPani
@julian-pani
@AndreyLadniy you can disable the check against the loginInfo and manage the JWT completely stateless. However, therr are some uaes
@AndreyLadniy ... However in somw use cases its useful to save the tokens state, for example to be able to deactivate tokena immediately (instead of waiting for them to expire). Depends on your use case.
Andrey Ladniy
@AndreyLadniy
@julian-pani if I understand correctly , I can't disable disable it
RequestHandlerBuilder

protected def handleAuthentication[B](implicit request: Request[B]): Future[(Option[Either[E#A, E#A]], Option[E#I])] = {
    environment.authenticatorService.retrieve.flatMap {
      // A valid authenticator was found so we retrieve also the identity
      case Some(a) if a.isValid  => environment.identityService.retrieve(a.loginInfo).map(i => Some(Left(a)) -> i)
JulianPani
@julian-pani

@AndreyLadniy I see what you mean.
Maybe other people here can help better, but here are my thoughts.

One idea you could use is to create a custom action that extends SecuredAction and does not require login info... by changing this part in SecuredAction#invokeBlock:

      // An authenticator but no user was found. The request will ask for authentication and the authenticator will be discarded
      case (Some(authenticator), None, _) =>

In a previous job I used two different setups. Sharing in case it helps.
In one setup, I used Silohuette as a "login/auth server" and then other microservices just validated the JWT tokens using a shared key with the login server. The other servers didn't have sillohuette - they used a scala jwt library to decode and validate the tokens using a custom Play action I created.
In another setup, I wasn't expecting high traffic, so I implemented the "login/auth service" as a REST api and had a sort of proxy that validated every external request against the auth server before redirecting to the destination microservice.

Andrey Ladniy
@AndreyLadniy

I try implement Bearer token (as refresh) and JWT (as access token). So I implement two Environments. Problem with disabling I solve = :

IdentityService

override def retrieve(loginInfo: LoginInfo): Future[Option[String]] = {
    Future.successful(Some(loginInfo.providerKey))
  }

but when I try store JWT in httpOnly secured cookie, I understand something going wrong, so JWTbyCookieAuthenticationService needed and so on.
I'm already leaning towards the number one solution like yours. The resource server does not need a large Silhouette library.

Coline Thomas
@colineto
I everyone, I’m using SocialProviderRegistry to connect with google and was wondering if there was a way to pass a state when requesting the authentication. because I have different pages calling for that google auth and would like to know which one did
Coline Thomas
@colineto
Okay got my answer from documentation :)
Nicolas Bétheuil
@wadouk
Hi, I try to override the fields in a silhouette cookie to override the domain to set from tld of host instead of the configured one in play session, tried with Filters but it's done twice
Christian Kaps
@akkie
@wadouk you can set the cookie params per Silhouette config: https://www.silhouette.rocks/docs/config-authenticators
epot
@epot
does anyone have a working client side authentication example with google? I had something that worked before but is broken at the moment
I am hitting CORS issues (more details at the end of https://discourse.silhouette.rocks/t/cross-origin-issues-in-jwt-auth/358/8)
epot
@epot
I just tried the angularjs seed out of curiosity but it's broken, as it's relying on a legacy google api :(
chaallengerr
@chaallengerr

@akkie the second snippet (without using the type parameter [T]) does compile but it gives an Error. The same error is thrown when using the type parameter [T]. 

[error] application - 

! @7cm23k6mg - Internal server error, for (GET) [/] ->

play.api.UnexpectedException: Unexpected exception[CreationException: Unable to create injector, see the following errors:

1) No implementation for scala.reflect.ClassTag<com.mohiva.play.silhouette.api.util.PasswordInfo> was bound.
  while locating scala.reflect.ClassTag<com.mohiva.play.silhouette.api.util.PasswordInfo>
    for the 3rd parameter of daos.password.PasswordDAO.<init>(PasswordDAO.scala:18)
  at modules.SilhouetteModule.configure(SilhouetteModule.scala:78) (via modules: com.google.inject.util.Modules$OverrideModule -> modules.SilhouetteModule)

I have run to the very exact same problem. How did you end up solving it? Do you mind sending a code snippet, please?

class PersistedAuthInfoDAO @Inject() (db: Database)
(implicit executionContext: DatabaseExecutionContext, 
implicit val classTag: ClassTag[PasswordInfo]) 
extends DelegableAuthInfoDAO[PasswordInfo] {
chaallengerr
@chaallengerr
Then in SilhouetteModule 
@Provides
  def providesAuthInfoDAO(authInfoDAO: PersistedAuthInfoDAO, classTag: ClassTag[PasswordInfo])(

    implicit
    ex: ExecutionContext): DelegableAuthInfoDAO[PasswordInfo] = {
    authInfoDAO
  }