Expose Play Framework rest calls secured via securesocial to mobile app

Question

I would like to expose my Play Framework REST calls to clients other than my play app.

I would like a mobile app to call those secured rest calls.

I asked a question on SO earlier in the year and got an answer but this only works for OAuth2 and I am only using OAuth1

My questions are:

1. Is exposing my REST calls secured by Securesocial on my PlayFramework app to non web clients like Mobile apps a good idea?
2. Is there a way to do this using Securesocial for OAuth1?
3. Are there any examples apart from the one in the link from my last question?

Answer 1

Latest changes in master-SNAPSHOT include a LoginApi controller that lets you authenticate a user using an API. It supports the UsernamePasswordProvider and all the OAuth2Providers.

In the case of the UsernamePasswordProvider you can post the user credentials and if they’re ok you will get a json with a token that can be used in an X-Auth-Token header to invoke SecuredActions. For example:

curl --data "[email protected]&password=some_password” http://localhost:9000/auth/api/authenticate/userpass  

For OAuth2 based providers you have to post a JSON with an accessToken generated by the external service (that was obtainer in the client side) along with the user email. The module will use the accessToken to verify if it works and will compare the email returned by the external service to the one passed in. If they match then the user is considered to be authenticated. This is very similar to what the guys at FortyTwo were doing and I thought it would be good to have the functionality built in (http://eng.42go.com/mobile-auth-with-play-and-securesocial/).

For example, having a file test.json with the accessToken and expiresIn values returned after authenticating with Facebook on the client side (e.g.: using Javascript):

{
"email": “[email protected]”,
"info": {
    "accessToken": “an_access_token”,
    "expiresIn": a_number_with_expiration_in_seconds
 }
} 

You can invoke:

curl -v --header "Content-Type: application/json" --request POST --data-binary "@test.json" http://localhost:9000/auth/api/authenticate/facebook

A sample json response for any of the calls above would be:

{"token":"98b9613dac60890b8e0abf5bc0f77591523df4e6de50b085c832116b8db2cc65511e0de6780f6a49f8755eddabbd46e6afada92160758fd6d4bbb25dc57e0f7b1e4b5b59fbbe543cf80ad1b6d91de7764e3ac1aaa0afac0c312a47bf27258f455606c6c19b1a3d40f8631ce98e6b76e128dddcb29511eb81200ffe9de95cba7a","expiresOn":"2014-05-07T07:43:10.987-03:00"}

You can then invoke a secured action as:

curl -v --header "Content-Type: application/json" -H "X-Auth-Token: 819a9cb9227d2c82af9c1ee2a62b9e7d35725e235e086ab95ecce0b509f3f7b389f430e217e341306ecaebfd1972ac083de73a32341a26f97150ae71fb0417f0031534d818356b2266ffc100e5ee6a50bd1f9ec76b0f68d2ff8ce4d196b4a86b61e002b29b00532ef166cb2eb8476d3ae008c112891628bc0f444c7512c01345" http://localhost:9000/my-protected-action