Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
424 views
in Technique[技术] by (71.8m points)

playframework - Expose Play Framework rest calls secured via securesocial to mobile app

I would like to expose my Play Framework REST calls to clients other than my play app.

I would like a mobile app to call those secured rest calls.

I asked a question on SO earlier in the year and got an answer but this only works for OAuth2 and I am only using OAuth1

My questions are:

  1. Is exposing my REST calls secured by Securesocial on my PlayFramework app to non web clients like Mobile apps a good idea?
  2. Is there a way to do this using Securesocial for OAuth1?
  3. Are there any examples apart from the one in the link from my last question?
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Latest changes in master-SNAPSHOT include a LoginApi controller that lets you authenticate a user using an API. It supports the UsernamePasswordProvider and all the OAuth2Providers.

In the case of the UsernamePasswordProvider you can post the user credentials and if they’re ok you will get a json with a token that can be used in an X-Auth-Token header to invoke SecuredActions. For example:

curl --data "[email protected]&password=some_password” http://localhost:9000/auth/api/authenticate/userpass  

For OAuth2 based providers you have to post a JSON with an accessToken generated by the external service (that was obtainer in the client side) along with the user email. The module will use the accessToken to verify if it works and will compare the email returned by the external service to the one passed in. If they match then the user is considered to be authenticated. This is very similar to what the guys at FortyTwo were doing and I thought it would be good to have the functionality built in (http://eng.42go.com/mobile-auth-with-play-and-securesocial/).

For example, having a file test.json with the accessToken and expiresIn values returned after authenticating with Facebook on the client side (e.g.: using Javascript):

{
"email": “[email protected]”,
"info": {
    "accessToken": “an_access_token”,
    "expiresIn": a_number_with_expiration_in_seconds
 }
} 

You can invoke:

curl -v --header "Content-Type: application/json" --request POST --data-binary "@test.json" http://localhost:9000/auth/api/authenticate/facebook

A sample json response for any of the calls above would be:

{"token":"98b9613dac60890b8e0abf5bc0f77591523df4e6de50b085c832116b8db2cc65511e0de6780f6a49f8755eddabbd46e6afada92160758fd6d4bbb25dc57e0f7b1e4b5b59fbbe543cf80ad1b6d91de7764e3ac1aaa0afac0c312a47bf27258f455606c6c19b1a3d40f8631ce98e6b76e128dddcb29511eb81200ffe9de95cba7a","expiresOn":"2014-05-07T07:43:10.987-03:00"}

You can then invoke a secured action as:

curl -v --header "Content-Type: application/json" -H "X-Auth-Token: 819a9cb9227d2c82af9c1ee2a62b9e7d35725e235e086ab95ecce0b509f3f7b389f430e217e341306ecaebfd1972ac083de73a32341a26f97150ae71fb0417f0031534d818356b2266ffc100e5ee6a50bd1f9ec76b0f68d2ff8ce4d196b4a86b61e002b29b00532ef166cb2eb8476d3ae008c112891628bc0f444c7512c01345" http://localhost:9000/my-protected-action 

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...