Using play-pac4j to secure OAuth REST Services (Scala)

364 views
Skip to first unread message

Adrian

unread,
May 17, 2017, 6:26:49 PM5/17/17
to pac4j-users
Hello,

I would like to use pac4-play (Scala version) to secure some OAuth Resource Server (REST Services)

I just want to secure my REST Services (not my webapp, so no redirects here) :
 a. my REST Service receives the OAuth accessToken as a HTTP Header 'Authorization: Bearer <accessToken>'.
 b. it needs to call the Authorization Server introspection endpoint to check the token validity
   Optionally we can also implement local token validation (using AS jwk_uri), but it will be at a second stage.
 c. then call a custom REST Service to retrieve the end-user permissions.
  
We'll need to implement later some cache for b and c operations.

I'm really new to PAC. 
I've seen only OIDC and OAuth Client/RP support, but no support for Resource Servers.
Is that right ?

If I'm right, is it advisable to implement such support in pac/using pac abstractions ?
And if yes, should I use this class as initial inspiration (for a first pac4j layer) https://github.com/pac4j/pac4j/blob/master/pac4j-cas/src/main/java/org/pac4j/cas/client/rest/CasRestBasicAuthClient.java

Thanks,
Adrian

Jérôme LELEU

unread,
May 18, 2017, 9:08:33 AM5/18/17
to Adrian, pac4j-users
Hi,

The key concept is direct clients (for web services authentication) and indirect clients (for UI login).

Regarding OAuth and OIDC, we only have indirect clients, which is not what you need.

To accept accessToken as header, you need to use a HeaderClient: http://www.pac4j.org/docs/clients/http.html and the credentials validation is delegated to an Authenticator: http://www.pac4j.org/docs/authenticators.html

So you can do it but by yourself.

For caching, you can use the LocalCachingAuthenticator: http://www.pac4j.org/docs/authenticators.html#1-deal-with-performance-issues

Thanks.
Best regards,
Jérôme



--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Adrian

unread,
May 18, 2017, 10:50:03 AM5/18/17
to pac4j-users, adrian.gon...@gmail.com
Great, thanks for the answer Jérôme !
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages