scala - Play Framework & JSON Web Token -
is there scala implementation of jwt or @ least example play? after having posted this question searched further on internet , found intros jwt. suggestion appreciated.
i using nimbus-jose-jwt in spray.io app , quite happy it. object performing authentication extends httpauthenticator , if finds correct jwt returns token subject , related info, otherwise none (authentication fails). play2 can implement http basic auth like this. regarding token setting/getting assume of more interest you:
first, create private/public key pair (i used parts of this code). create authentication object loads keys on initialization filesystem.
create a com.nimbusds.jose.crypto.macsigner , com.nimbusds.jose.crypto.macverifier using these keys.
whenever want set key, first encrypt it, sign it. encryption:
private def encrypt(subject: string) = { val header = new jweheader(jwealgorithm.rsa_oaep, encryptionmethod.a128gcm) val jwt = new encryptedjwt(header, claimset(subject)) val encrypter = new rsaencrypter(publickey.asinstanceof[java.security.interfaces.rsapublickey]) jwt.encrypt(encrypter) jwt.serialize() } the claimset method predictably returns set of claims:
def claimset(subject: string) = { val jwtclaims = new jwtclaimsset() jwtclaims.setissuer(config.jwt.issuer) jwtclaims.setsubject(subject) jwtclaims.setjwtid(java.util.uuid.randomuuid().tostring()) jwtclaims } the publickey property value returned keyfactory.getinstance("rsa").generatepublic.
signing:
private def sign(jwt: string) = { val jwsobject = new jwsobject(new jwsheader(jwsalgorithm.hs256), new payload(jwt)) jwsobject.sign(tokens.signer) jwsobject.serialize } given above, when receive key need verify signature first, decrypt it. verification, first try parse com.nimbusds.jose.jwsobject.parse(my_token) , long doesn't throw parseexception call verify on jwsobject parse returns, using argument macverifier created earlier. if verify returns true, need call getpayload.tostring on same jwsobject verified payload.
to decrypt verified payload call com.nimbusds.jwt.encryptedjwt.parse on it, like:
val decrypter = new rsadecrypter(privatekey.asinstanceof[java.security.interfaces.rsaprivatekey]) jwt.decrypt(decrypter) privatekey value returned keyfactory.getinstance("rsa").generateprivate.
you can claim set jwt.getjwtclaimsset.
finally, regard setting authorization header, i'm doing on angularjs client using principles mentioned in this post.
Comments
Post a Comment