guardian/play-googleauth guardian/play-googleauth

Authentication and Permissions
  • Stars
    star
    32
  • Rank 775,073 (Top 16 %)
  • Language
    Scala
  • License
    Apache License 2.0
  • Created almost 10 years ago
  • Updated 10 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
guardian/play-googleauth
github

guardian

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simple play module for authenticating against Google

Play Google Auth Module

CI Release

This module is a very simple implementation of OpenID Connect authentication for Play 2 applications. It can also be used to get information about the groups of your Google Apps Domain using the Directory API.

Versions

Supported Play Versions

  • Play 3.0 : use play-googleauth artifacts 
    libraryDependencies += "com.gu.play-googleauth" %% "play-v30" % "[maven version number]"
  • Play 2.9 : use play-googleauth artifacts 
    libraryDependencies += "com.gu.play-googleauth" %% "play-v29" % "[maven version number]"
  • Play 2.8 : use play-googleauth artifacts 
    libraryDependencies += "com.gu.play-googleauth" %% "play-v28" % "[maven version number]"

We no longer support Play 2.7 or Scala 2.12.

Note that from version 0.7.7 onwards, play-googleauth recommends the use of the play-secret-rotation library, which allows you to rotate your Play Application Secret on an active cluster of Play app servers. play-googleauth uses the Play Application Secret to sign the OAuth Anti-Forgery token, and needs to know the validity over time of your rotated secrets to verify tokens correctly. If you decide you are willing to take the security risk of not rotating your Application Secret, you can still use the deprecated AntiForgeryChecker.borrowSettingsFromPlay(httpConfiguration) method.

Adding to your application

In order to add Google authentication to your Play app you must:

  • get a set of API credentials for your app from the Google Developer Console
  • ensure that you have switched on access to the Google+ API for your credentials
  • add play-googleauth to your libraryDependencies
  • create a GoogleAuthConfig instance with your API credentials and callback details (the callback must match both your app and the value you set in the developer console)
  • implement a login controller that has actions and routes for the login action, oauth callback, logout and a login screen (if required)
  • implement a trait that extends com.gu.googleauth.Actions, sets the appropriate redirect targets and provides an authConfig from your Google credentials
  • (optionally) configure a Google Group Checker to enforce Google Group membership
  • use AuthAction instead of Action to wrap actions in your controllers (these should be made available by extending the trait you implemented earlier

See the example application to see how this is done.

Caveats

If your login expires and the next request you make is a GET method then your login will be transparently revalidated, but if your next request is a POST method then it is not possible to sensibly redirect the request and you will end up being redirected to the correct URL but with a GET request.

AJAX requests will similarly not be re-validated. Two options exist - you can turn off re-validation using the enforceValidity parameter in GoogleAuthConfig or implement a specific ApiAuth endpoint that returns a 419 if your session is no longer valid. This can then be used to implement client side logic in an invisible iframe to re-auth.

This module brings in Apache Commons 1.9 which is later than the version Play requires by default. This is usually fine as it is compatible.

The token acquired from Google is NOT cryptographically verified. This is not a problem as it is obtained directly from Google over an SSL connection, used to authenticate the user and then thrown away. Do not keep the token around and use it elsewhere unless this code is modified to carry out the verification.

Implement GoogleGroups-based access control using the Directory API

You can use the library to check that a user of your domain (e.g. guardian.co.uk) belongs to certain Google Groups. This is convenient to create an authorisation system in which only people who are members of some groups can access your application.

In order to be able to use the Directory API, you must first set up your own Service account and make sure it has the right permissions.

First, log in to your Google Developer Console, go to your project and create a new service account. Follow the instructions given here to create a service account. When asked to download the public/private key pair, choose the JSON option and keep it in a secure place.

You will then need to contact the administrator of your organisation's Google Apps domain and ask them to authorise your service account to access user data in the Google Apps Domain.

They will need to do so by adding specific scopes to the service account. This is done by granting the clientId of the service account with access to the required API scopes.

In order to find out which groups the users of your domain belong to, the only scope you will need is https://www.googleapis.com/auth/admin.directory.group.readonly

Finally, you need the email address of a user who has the permission to access the Admin APIs. It is not enough to be able to authenticate to your domain with a client ID and private key, you also need to specify the email address of one of the organisation's admin users. This email address should be set up to have specific privileges to read groups. We call this user the "impersonated user".

As explained in the Google documentation about Domain-Wide delegation of authority:

Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API.

Ask the administrator of your organisation's Google Apps domain if you are unsure of what this email address is supposed to be.

Once you have completed those 3 steps, you should be able to integrate it in your application:

  • Make sure that the service account certificate is accessible

  • This is how you can build your credentials from the json cert file you have downloaded:

import org.apache.commons.io.Charsets.UTF_8
import org.apache.commons.io.IOUtils
import com.google.auth.oauth2.ServiceAccountCredentials

object GoogleAuthConf {
  val impersonatedUser: String = ??? // read from config
  val serviceAccountCert: String = ??? // JSON certificate from Google Developers Console - read from secure storage
}

private val serviceAccount = GoogleServiceAccount(
  GoogleAuthConf.impersonatedUser, // This is the admin user email address we mentioned earlier
  ServiceAccountCredentials.fromStream(IOUtils.toInputStream(serviceAccountCert, UTF_8))
)
  • You should now be able to retrieve the groups for a given user
import com.gu.googleauth.GoogleGroupChecker

val checker = new GoogleGroupChecker(serviceAccount)
checker.retrieveGroupsFor(email)

More Repositories

1

frontend

The Guardian DotCom.
Scala
5,769
star
2

scribe

DEPRECATED: A rich text editor framework for the web platform
JavaScript
3,521
star
3

grid

The Guardian’s image management system
Scala
1,431
star
4

toolargetool

A tool to help you debug TransactionTooLargeExceptions on Android 7+
Kotlin
932
star
5

coding-exercises

Coding exercises
402
star
6

guardian.github.com

Guardian github pages
HTML
317
star
7

riff-raff

The Guardian's deployment platform
Scala
263
star
8

gu-who

answering: who are all these users in my GitHub org?
Scala
221
star
9

dotcom-rendering

The Guardian web rendering service
TypeScript
212
star
10

typerighter

Even if you’re the right typer, couldn’t hurt to use Typerighter!
Scala
207
star
11

swarmize

the data journalism platform
Ruby
155
star
12

elk-stack

ELK Stack ... based on Elastic Stack 5.x
JavaScript
147
star
13

prout

Looks after your pull requests, tells you when they're live
Scala
144
star
14

riemann-config

Configuration for alerting and event processing in Riemann
Clojure
141
star
15

prosemirror-typerighter

The client-side companion to Typerighter. Match ranges with spellchecker-like semantics in Prosemirror documents.
TypeScript
110
star
16

guss

Guss is a collection of Sass bower components, re-usable across multiple Guardian web products
107
star
17

source

Source: a component library for the Guardian's Design System
TypeScript
98
star
18

athena-cli

Presto-like CLI tool for AWS Athena
Python
86
star
19

recommendations

Recommendations for how to develop software at the Guardian
JavaScript
64
star
20

cf-notify

Get notified in Slack when changes to your Cloud Formation stack are made.
Python
59
star
21

iframe-messenger

postMessage interface
JavaScript
57
star
22

vagrants

Vagrant configurations
Ruby
55
star
23

ganglia-api

API layer that exposes ganglia data in a RESTful JSON manner
Python
50
star
24

amigo

AMIgo: An AMI bakery
Scala
49
star
25

prism

Tool for collecting live data about infrastructure so it can be easily queried by users and automated tooling
Scala
48
star
26

prosemirror-noting

Prosemirror plugin that adds the ability to have ranges added to the document that expand and contract around dependent on the input.
JavaScript
48
star
27

html-janitor

Scribe module - DO NOT DELETE
JavaScript
46
star
28

guss-rem

Use rem units in your CSS with a pixel fallback for older browsers
CSS
44
star
29

online-abuse-analysis

Scala
42
star
30

editions

πŸ“†πŸ†• Daily Edition app
TypeScript
42
star
31

kinesis-logback-appender

LOGBack Appender for writing data into a Kinesis Stream
Java
39
star
32

content-api-scala-client

A Scala client library for the Guardian's Content API
Scala
39
star
33

dev-nginx

Tools to configure a local development nginx to proxy our applications and services
Shell
39
star
34

sbt-grunt-plugin

For kicking off grunt tasks from inside sbt
Scala
38
star
35

giant

Platform for journalists to search, analyse, categorise and share unstructured data
Scala
38
star
36

teamcity-s3-plugin

Teamcity plugin for uploading artifacts to S3
Scala
36
star
37

pasteup

This project is now deprecated. Future development on the Guardian's design language can be found in dotcom-rendering
JavaScript
36
star
38

mobile-apps-article-templates

Templates for articles on The Guardian iOS and Android apps
SCSS
34
star
39

machine-images

DEPRECATED: Scripts for building machine images (principally AMIs)
Ruby
34
star
40

membership-frontend

Guardian events and masterclasses
Scala
34
star
41

status-app

Guardian AWS Applications Status App
Scala
33
star
42

wraith-donk

Wraps wraith in a web server
Ruby
31
star
43

prosemirror-elements

A ProseMirror plugin for adding user-defined 'elements' containing arbitrary fields to a document.
TypeScript
29
star
44

sbt-play-assethash

SBT plugin for Play 2 to add MD5 sums to asset file names
Scala
28
star
45

consent-management-platform

Guardian consent management
CSS
26
star
46

engineering-performance-framework

The Guardian Engineering performance framework
25
star
47

facia-tool

Guardian front pages editor (AKA Fronts tool)
JavaScript
24
star
48

support-frontend

πŸ’β€β™€οΈβ€οΈπŸ“° Frontend for the Supporter platform
Scala
24
star
49

guardian-engineering-site

Code for theguardian.engineering site
TypeScript
23
star
50

mobile-n10n

n10n for nOTIFICATIOn
Scala
23
star
51

sbt-jasmine-plugin

An SBT plugin for running jasmine tests in your build.
JavaScript
23
star
52

guss-webfonts

Guss' Webfonts component
HTML
21
star
53

csnx

Monorepo for Guardian UIs
TypeScript
20
star
54

play-brotli-filter

Brotli filter for the playframework
Scala
19
star
55

react-native-with-kotlin

Placeholder description: @maxspencer created this with repo-genesis
Objective-C
19
star
56

ssm-scala

ssh replacement: CLI program that wraps SSM's EC2 Run Command
Scala
19
star
57

aws-pen-test-form

Tool to generate info for the AWS penetration testing request form
Scala
19
star
58

guss-grid-system

Sass mixins and default values for the Next Gen grid system.
CSS
18
star
59

our-engineering-culture

How we as engineers define our culture
18
star
60

pinboard

πŸ“Œ Pinboard - the omnipresent 'content association' and discussion tool.
TypeScript
18
star
61

sbt-teamcity-test-reporting-plugin

Sbt plugin that enables TeamCity to report test details
Scala
18
star
62

language-system

The Multi-Language Automatic Translation, Subtitling, and Voice Rendering System uses third party software to automatically convert audio to text, translate text, render text to video, and render text to audio.
PHP
17
star
63

music-api-scala-client

Scala
17
star
64

lambda-elasticsearch

Helper to send elasticsearch request from a lambda
JavaScript
16
star
65

awesome-lambda

A collection of Lambda related implementations, libraries, resources an useful stuff.
15
star
66

cdk

Generic Guardian flavoured AWS CDK components
TypeScript
15
star
67

subscriptions-frontend

Scala
15
star
68

world-map

Rough-and-ready geometry files for quickly rendering an SVG map of the world
15
star
69

techtime

General repository for everything techtime.
Ruby
14
star
70

prosemirror-invisibles

A simple implementation of invisible characters in ProseMirror.
TypeScript
14
star
71

httpie-hmac-auth

HMAC auth plugin for HTTPie
Python
13
star
72

videojs-embed

A plugin for Video.js that adds a control bar button to toggle an embed code overlay.
JavaScript
13
star
73

tagmanager

Tag Manager: "Like a Beautiful Mind, but with tags" - Unknown
JavaScript
13
star
74

coding-exercise-project

Skeletion project structures for various languages
Shell
13
star
75

security-hq

Centralised security information for AWS accounts
Scala
13
star
76

manage-frontend

TypeScript
12
star
77

ts-failure

Promise error handling in typescript.
TypeScript
12
star
78

grunt-asset-monitor

Grunt task to analyse and log simple metrics of static assets to Amazon CloudWatch.
JavaScript
12
star
79

simple-configuration

A configuration library without any magic
Scala
12
star
80

element-radiator

Helper Polymer elements for building information radiators and monitoring dashboards
HTML
12
star
81

elk6

Elasticsearch, Logstash, Kibana stack for version 6
Ruby
11
star
82

play-secret-rotation

Rotate your Application Secret on an active cluster of Play app servers
Scala
11
star
83

janus-app

Google-backed AWS account access
Scala
11
star
84

zapush

drop-in war to submit jmx stats to zabbix
Scala
11
star
85

libs

A collection of JavaScript libraries and TypeScript types for Guardian projects
TypeScript
11
star
86

scribe-angular-example

JavaScript
11
star
87

quiz-builder

NO LONGER USED - Tool for building quiz JSON
JavaScript
11
star
88

fastly-api-client

An asynchronous Scala client for Fastly's API used to deploy and update configs, decache objects and query the stats API
Scala
11
star
89

grid-inspector

Web UI to inspect rights of Grid images
JavaScript
10
star
90

support-service-lambdas

Lambdas covering supporter operations, mostly in life operations
Scala
10
star
91

solr-field-update

Basic support for merging documents in Solr.
Java
10
star
92

tip

Scala library for testing in production
Scala
10
star
93

pan-domain-authentication

Helper to provide a common federated authentication for all services within a domain (AKA Panda)
Scala
10
star
94

fezziwig

Fezziwig is a library for compile time generation of Circe encoders/decoders for Scrooge-generated classes representing Thrift objects.
Scala
10
star
95

flags

Collection of SVG flags indexed by world bank code (e.g. GBR.svg = Union Jack), plus scripts to get bitmap thumbnails
JavaScript
10
star
96

raspberry-pi-dashboards

How to setup Raspberry Pi dashboards in the Guardian Digital department
Shell
10
star
97

scribe-plugin-noting

JavaScript
9
star
98

content-api-haskell-client

A simple Haskell client library for the Guardian's Content API
Haskell
9
star
99

dupin

Search Git repositories for secrets
Python
9
star
100

guss-layout

Low-level responsive layout patterns
CSS
9
star