Positioning and Appropriateness - Silhouette Authentication/Authorisation for Play web and Lagom endpoint

robinroos · October 14, 2019, 3:07pm

Hi Folks,

I’m building a Lagom app which will expose JSON endpoints and also have a Play web ui. The Play ui might be built using Bootstrap.

I need a library to which I can delegate Authentication and Authorisation, both from the Web UI and at the exposed Endpoints. I have little to no knowledge of this area.

My intention is that the logged in Principal will carry a set of Roles, and that the Web App will be able to restrict access to certain functions based on Role membership. Access to JSON Endpoints should be certificate-based (unless someone has alternative suggestions).

My hope is that I will have to write very little code in this area.

In Production, and SIT, the credentials are actually held in Microsoft Active Directory. But in DEV and UAT I would hope to provide a simple text file with a handful of pre-defined usernames with easily remembered passwords and specific role assignments. Perhaps that means the Authenticator is different?

The web app will NOT expose self-registration or password reset capabilities - users are internal.

Anyway, I’m hoping someone can tell me that Silhouette either is or is not suitable, and whether for the Play/Bootstrap side only or also for the REST side.

Many thanks, Robin.

akkie · October 15, 2019, 7:32am

Hi,

for this scenario I would rather recommend something like a central IdP (Identity Provider). Keycloak as OpenID Connect reference implementation is a good open source example. Keycloak has support for user federation (LDAP, AD). With Keycloak Gatekeeper you could use a proxy that acts as relying party in front of your applications. So you doesn’t have any coding effort for the authentication part. Keycloak provides Java libs that you can use to implement authorization in your app.

Now the bad news. This will not work without knowing the fundamentals. You should have an understanding of OpenID Connect and the underlying OAuth2 protocol. You should know the different OAuth2 flows for a better understanding on how the authentication/authorization processes work with OpenID Connect and OAuth2. Keycloak is a great tool but it needs some time to get it to work. It has a really good documentation. But if you have such a system, you are able to add more applications to your stack and that without any coding effort.

Why not Silhouette? I’m not sure it will work with Lagom. It doesn’t have an LDAP/AD provider.
You will have more coding effort.

Some useful links:
https://openid.net/connect/

Best regards,
Christian

robinroos · October 15, 2019, 7:50am

Thanks Christian. I will read through your references. Is Keycloak “implementation” likely to be something which I can delegate to a peopleperhour.com freelancer? I should have mentioned that the entire stack will be Dockerized and deployed on a paid Docker-only hosting service; not sure to what extent that might further complicate the security picture.

Kind regards, Robin.

akkie · October 15, 2019, 10:03am

Yes, I think you will find qualified people to setup this stack. We also use Keycloak and Keycloak Gatekeeper in a Kubernetes Cluster. There are docker images for both applications.

https://hub.docker.com/r/jboss/keycloak/builds
https://hub.docker.com/r/keycloak/keycloak-gatekeeper