I would like to expose my Play Framework REST calls to clients other than my play app.
I would like a mobile app to call those secured rest calls.
I asked a question on SO earlier in the year and got an answer but this only works for OAuth2 and I am only using OAuth1
My questions are:
Latest changes in master-SNAPSHOT include a LoginApi controller that lets you authenticate a user using an API. It supports the UsernamePasswordProvider and all the OAuth2Providers.
In the case of the UsernamePasswordProvider you can post the user credentials and if they’re ok you will get a json with a token that can be used in an X-Auth-Token header to invoke SecuredActions. For example:
curl --data "[email protected]&password=some_password” http://localhost:9000/auth/api/authenticate/userpass
For OAuth2 based providers you have to post a JSON with an accessToken generated by the external service (that was obtainer in the client side) along with the user email. The module will use the accessToken to verify if it works and will compare the email returned by the external service to the one passed in. If they match then the user is considered to be authenticated. This is very similar to what the guys at FortyTwo were doing and I thought it would be good to have the functionality built in (http://eng.42go.com/mobile-auth-with-play-and-securesocial/).
For example, having a file test.json with the accessToken and expiresIn values returned after authenticating with Facebook on the client side (e.g.: using Javascript):
{
"email": “[email protected]”,
"info": {
"accessToken": “an_access_token”,
"expiresIn": a_number_with_expiration_in_seconds
}
}
You can invoke:
curl -v --header "Content-Type: application/json" --request POST --data-binary "@test.json" http://localhost:9000/auth/api/authenticate/facebook
A sample json response for any of the calls above would be:
{"token":"98b9613dac60890b8e0abf5bc0f77591523df4e6de50b085c832116b8db2cc65511e0de6780f6a49f8755eddabbd46e6afada92160758fd6d4bbb25dc57e0f7b1e4b5b59fbbe543cf80ad1b6d91de7764e3ac1aaa0afac0c312a47bf27258f455606c6c19b1a3d40f8631ce98e6b76e128dddcb29511eb81200ffe9de95cba7a","expiresOn":"2014-05-07T07:43:10.987-03:00"}
You can then invoke a secured action as:
curl -v --header "Content-Type: application/json" -H "X-Auth-Token: 819a9cb9227d2c82af9c1ee2a62b9e7d35725e235e086ab95ecce0b509f3f7b389f430e217e341306ecaebfd1972ac083de73a32341a26f97150ae71fb0417f0031534d818356b2266ffc100e5ee6a50bd1f9ec76b0f68d2ff8ce4d196b4a86b61e002b29b00532ef166cb2eb8476d3ae008c112891628bc0f444c7512c01345" http://localhost:9000/my-protected-action
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With