in play-v30/src/main/scala/com/gu/googleauth/auth.scala [63:97]
def withNoDomainRestriction(
clientId: String,
clientSecret: String,
redirectUrl: String,
maxAuthAge: Option[Duration] = defaultMaxAuthAge,
enforceValidity: Boolean = defaultEnforceValidity,
prompt: Option[String] = defaultPrompt,
antiForgeryChecker: AntiForgeryChecker
): GoogleAuthConfig =
GoogleAuthConfig(clientId, clientSecret, redirectUrl, List.empty, maxAuthAge, enforceValidity, prompt, antiForgeryChecker)
}
/**
* When the OAuth callback returns to our app, we need to ensure that this is the end of a valid authentication
* sequence that we initiated, and not a forged redirect. Rather than use a nonce, we use a signed session id
* in a short-lifetime Json Web Token, allowing us to cope better with concurrent authentication requests from the
* same browser session.
*
* "One good choice for a state token is a string of 30 or so characters constructed using a high-quality
* random-number generator. Another is a hash generated by signing some of your session state variables with
* a key that is kept secret on your back-end."
* - https://developers.google.com/identity/protocols/OpenIDConnect#createxsrftoken
*
* The design here is partially based on a IETF draft for "Encoding claims in the OAuth 2 state parameter ...":
* https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-01
*
* @param secretsProvider see https://github.com/guardian/play-secret-rotation
* @param signatureAlgorithm defaults to a sensible value, but you can consider using
* [[AntiForgeryChecker#signatureAlgorithmFromPlay]]
*/
case class AntiForgeryChecker(
secretsProvider: SnapshotProvider,
signatureAlgorithm: SignatureAlgorithm = HS256, // same default currently used by Play: https://github.com/playframework/playframework/blob/a39b208/framework/src/play/src/main/scala/play/api/http/HttpConfiguration.scala#L336
sessionIdKeyName: String = "play-googleauth-session-id"
) extends Logging {