Difference between Authenticator and Provider



I am struggling to understand the difference between an Authenticator and a Provider. Could you please explain?

I created a Sihouette stack as follows and it seems Provider is optional. What is it used for?

val cookieEnv = com.mohiva.play.silhouette.api.Environment[CookieEnv](userIdentityService ,cookieAuthenticatorService,Seq(),EventBus())




The providers which can be passed to the Environment are a special type of providers called request providers. They are documented here: https://www.silhouette.rocks/docs/providers#section-request-providers

Does this answer your question?

Best regards,


Hi Christian

Sorry it doesn’t… I had read it but didn’t understand it.

There is an Authenticator (say Cookie authenticator) which would add (embed) a token into Cookie header I suppose and will look for it and validate it in further incoming requests (I suppose I understood authenticators correctly). So Authenticator seem to authenticate a session.

But the documentation about Providers also say the same thing – “a provider is a service that handles the authentication of an identity”

Could you explain with an example?



Mail](https://go.microsoft.com/fwlink/?LinkId=550986) for Windows 10


Is it a way to create own custom provider. I notice that there are pre-built providers in Silhouette. I notice Provider is a trait and CredentialProvider has ID



an authenticator is like a session. It authenticates an already authenticated user on subsequent requests to a page/app. A provider is the part which authenticates a user against an external (social provider, LDAP, CAS), against a credentials provider and so on. Typically authentication in Silhouette has two steps. First the user authenticates once against a provider and then you create an authenticator which authenticates the user on subsequent request against your page/app.

A request provider is a special kind of provider which can be directly hooked into the authentication process. It reads authentication data from the incoming request and authenticates the user. In this case an authenticator isn’t used, therefore it’s recommended to use the DummyAuthenticator. The basic authentication provider is a request provider. It gets the authentication data from the Authorization header.

Let me know if something is unclear.

Best regards,