Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using JWT authentication with Play Framework 2.6

Tags:

jwt

playframework

playframework-2.6

I'm having issues with using JWT Authentication using guides for older versions but I'd like to focus on the new Play 2.6

According to the official documentation, JWT is now used under the hood.

It seems like there would be an easier way instead of creating an ActionBuilder and a bunch of other classes or importing third-party libraries but I can't figure out what I would need to do.

Can anyone give me guidance on how to create JWT tokens/secrets with 2.6? Preferably Java but I could make my way through Scala as well.

like image 273
LtDan33 Avatar asked Nov 16 '17 17:11

LtDan33

People also ask

Why JWT is not good for sessions?

Although JWT does eliminate the database lookup, it introduces security issues and other complexities while doing so. Security is binary—either it's secure or it's not. Thus making it dangerous to use JWT for user sessions.

What is JWT how we implement JWT with Webapi?

JWT stands for JSON Web Token digitally signed using a secret key by a token provider. It helps the resource server to verify the token data using the same secret key. JWT consists of three parts: Header: encoded data of the token type and the algorithm used to sign the data.

1 Answers

Can anyone give me guidance on how to create JWT tokens/secrets with 2.6? Preferably Java but I could make my way through Scala as well.

JWT is baked into the session cookie. You don't need to do anything at all for that. There is no user visible JWT header in Play, but you can use the JJWT library https://github.com/jwtk/jjwt which Play uses under the hood to create your own JWT and use that.

There is an example project at https://github.com/franzgranlund/play-java-jwt which uses a slightly different JWT library for headers, but gives the idea.

The main thing to do is verify that the JWT you get back is using the same algorithm you sent out, i.e. no-one has sent you an alg=NONE or something silly, and ensure you're using a decent algorithm, i.e. HMAC-SHA256 with AES-GCM.

If you're interested in using encryption/signing generally, there's an example in https://github.com/playframework/play-scala-secure-session-example/ which should help.

like image 170
Will Sargent Avatar answered Oct 06 '22 12:10

Will Sargent
Sign in to Comment

Related questions

Play Framework PathBindable with Dependency Injection
SBT run stopped working recently with nothing changed in Play services project
DTO in Play Framework
Can i use only one table for all hibernate envers auditing?
Play! Framework with scala - Form seq(text) binding
Cannot register class in Ebean server (Play Framework 2 - Java)
Uploaded file only contains "WebKitFormBoundary"
No implementation for play.api.db.slick.DatabaseConfigProvider was bound
How to import playframework sources into eclipse?
Play's continuations holding http threads
Hibernate null constraint violation on @Id with @GeneratedValue
Play Framework 2.2 action composition returning a custom object
Using Bower with Play
Play! Framework Authentication with LDAP
How to handle MongoDB ObjectIds in Play framework using Reactivemongo?
How to call a stored procedure and get return value in Slick (using Scala)
Play framework 2.5.0 Websockets example [closed]
Transactional method in Scala Play with Slick (similar to Spring @Transactional, maybe?)
How to set up play framework ApplicationLoader and Macwire to work with custom routes?
Marshalling nested custom Objects in Sangria

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!