I am using Play2 with scala. I am new in Play2 and scala. I need authentication and authorization in a project. So which is the best for me from following? And why?
Play2-Auth
SecureSocial
Deadbolt2
Is any one like a Spring security?
I need authorization based on a user role and also need social login like google+, facebook and twitter and also our own side login.
So please tell me the best solution for me. And also explain why it best?
Deadbolt2 is only an Authorization framework. Play2-Auth and SecureSocial both do Authentication and Authorization but their Authorization capabilities are much weaker than Deadbolt2. Play2-Auth does not have social login capabilities (that I know of). SecureSocial does.
I am using SecureSocial for the exact use case you are mentioning: social and local logins with role-based authorization. It works well for my purposes. I am using the current stable version (2.1.4 for Play 2.2.x) but be advised that the next version (that supports Play 2.3.x) is quite different and the upgrade procedure is painful. I have tried it once and have given up on it for the time being.
Related
I am pretty new to Play framework. My intention is to create a web application which could allow the users to post to all his social networking accounts from my web app.
I saw a lot of modules (Like SecureSocial, Secure, fbConnect) that can provide me the authentication for the application, but I doubt they would allow me to post content.
Is there any module that could suit my needs? Is this idea possible atleast?
I am currently planning to use Play 2.2.0, but I see lot of modules are built for Play 1.x. Can I use the same module in Play 2.x as well?
This is a fairly common use case, I would recommend SecureSocial for what you are trying to achieve as it appears to be the most utilised Authentication library for Play.
Your basic flow would be:
Users on your site authenticate their various social networks using SS. Be sure to configure SS to request any extended permissions you require (in order to post on behalf of the user).
Most social APIs will return some kind of auth token, which can be persisted using SS. Note: you will need to implement a custom UserService for persistence.
When you want to post on behalf of a user, use the auth token that you have persisted, and hit the relevant social API. Make sure you have error handling in place to deal with expired tokens etc.
Hope this helps!
I need to build oAuth provider and started to do my homework around Facebook and Google, as they are the largest example there is I think. What I still don't understand, when a web site wants to use oAuth from Google or Facebook, does it have to apply their SDK or SDK is just to simple the hard work, but there is the way to do it your self from scratch? I asking this, because I wonder, if after my oAuth provide will be ready, I will have to create SDK as well.
No, you do not have to create any SDK for OAuth provider or clients. You can look at an google's playground for a sample end to end demonstration of OAuth2 flow.
I would like to build a web service (RESTful JSON API) and I would like to secure my API with OAuth 1.0 or 2.0. I'm using Play2 with Scala and I cannot find examples on writing OAuth providers (not consumers) in Scala nor in Play2.
I believe the combination should be very familiar, suppose you are building an API like GitHub and you want to authorize certain applications and offer them CONSUMER_KEY, CONSUMER_SECRET to access your APIs. There must be an easy-to-use library to help you do that. Not to say that this should be baked into Play2.
Any ideas? libraries? tricks?
We built an OAuth 1.0 provider in Scala/Lift. Its coded for the Open Bank Project but should be pretty easy to extract for another Lift app.
Please See:
https://github.com/OpenBankProject/OpenBankProject-Server/wiki/OAuth-1.0-client---Server-connexion
By the way, we chose OAuth 1.0 rather than OAuth 2.0 because OAuth 2.0 is not really fixed yet.
cheers, Simon.
Is it possible to use facebook authentification with WIF without using an acs/azure? Or this is absolutely necessary?
Yes, it's possible but you'll have to write a bit of code. There is a WIF extension that adds OAuth 2.0 support to the framework:
https://connect.microsoft.com/site1168/Downloads
Another option you might consider:
http://facebooknet.codeplex.com/
You can also write your own STS and add DotNetOpenAuth to it.
IdentityServer does something like this with OpenId in a (hidden) page. This was based on a post from Matias Woloski, updated here.
The Facebook Platform uses OAuth 2.0 for authentication and authorization. So when you try to build an authentication application for Facebook you are actually looking for a provided which supports Claim Based authentication. WIF does provide ASP.NET and WCF based framework for you to authenticate your application with Facebook through a claim based Identity Framework. (Windows Azure ACS simplify this process to bare minimum level and that is what you pay for.)
1) Is it true that if you would like to have your custom dialogues to enter twitter user details that you cannot use OAuth to do that?
2) I looked at MGTwitterEngine and now I'm wondering whether it is really necessary to have more than 20 classes just to send a status update.
3) I used to use Basic Auth which worked just fine. It was very little code. Is there a way to modify that code so that it just works again?
Many thanks for your help.
You'll need to apply for xAuth from Twitter with a decent enough reason for them to allow you to use it. That will allow you to take the user's username & password using your own UI and get a token that way instead of going the web-route and directing them to a web auth page.
You'll most probably need to re-write a bunch of your basic auth methods to include all the OAuth signatures and headers into your requests. It'll be nice if they make the switch to OAuth 2 soon, it's much much easier.
I've written my own Twitter engine that uses XAuth and it's relatively simple (apart from the OAuth 1 garbage!). However it'll probably be best to use MGTwitterEngine if you're going the normal OAuth route. I'm not familiar with it but I hear good things. It depends on how you're going to use the API. Writing a simple wrapper probably won't be to hard if you're just interested in calling a few methods. It's just the OAuth 1 stuff that can get complicated; however Twitter's documentation on that is very good indeed.
If you only need to post to twitter, take a look at getsharekit.org it will save you a lot of the hassle with the integration
As for xAuth or oAuth if your application UI is heavily customised it can be well worthwhile applying for xAuth ,as your users all of a sudden will not come across twitters login pages, which are unlikely to be in keeping with the rest of your applications UI. However if your application is mainly a utility application, you will most likely be fine with the oAuth method which is easier as you do not need to apply to twitter for them to enable it