Pac4jHandler not support DirectClient

[ihostage]

I try to integrate Lagom, Play-Pac4j, and Deadbolt. Sources in this repo https://github.com/ihostage/lagom-pac4j-deadbolt
But I got a problem.
Case:

Create Hello World project from maven archetype commit

https://www.lagomframework.com/documentation/1.4.x/java/GettingStartedMaven.html
Run services by command:

$ ./mvnw lagom:runAll

Check hello service:

$ curl https://localhost:9000/api/hello/Alice
Hello, Alice!%

Add Pac4j and Deadbolt commit

Following the next instructions:
1) Add the required dependencies (play-pac4j + pac4j-* libraries)
2) Define the configuration (Config + Client + Authorizer + PlaySessionStore)
3c) Working with Deadbolt
Deadbolt Authorized routes

I wrote very simple HeaderClient (DirectClient) and added Pac4j and Deadbolt.

Check hello service without auth header:

$ curl https://localhost:9000/api/hello/Alice
authentication required%

Success 😄
Check hello service with auth header:

$ curl -H "Authorization: Alice" https://localhost:9000/api/hello/Alice
authentication required%

Failed 😞

Customize Pac4jHandler commit

Add hack code for DirectClient in function beforeAuthCheck:

} else if (isNotEmpty(currentClients) && currentClients.get(0) instanceof DirectClient) {
    Credentials credentials = currentClients.get(0).getCredentials(playWebContext);
    if (credentials != null) {
        playWebContext.setRequestAttribute(Pac4jConstants.USER_PROFILES, credentials.getUserProfile());
        // playSessionStore.set(playWebContext, Pac4jConstants.USER_PROFILES, credentials.getUserProfile());
        return Optional.empty();
    }
    logger.debug("unauthorized");
    action = unauthorized(playWebContext, currentClients);
}

Check hello service without auth header:

$ curl https://localhost:9000/api/hello/Alice
authentication required%

Success 😄
Check hello service with auth header:

$ curl -H "Authorization: Alice" https://localhost:9000/api/hello/Alice
Hello, Alice!%

Success 😄

Summury

1. I'm not sure that I used the right way to fix a problem of DirectClient. Maybe you suggest me the idiomatic way?
2. I'm not understand, why need PlayCookieSessionStore, because I not see cookies in the server response. Maybe it's even good for stateless microservice and authentication by DirectClient.

[leleuj]

Thanks for thoroughly reporting this issue. I will check that and let you know...

[ihostage]

Hi, @leleuj!
Even after fix Pac4jHandler, I can't retrieve CommonProfile in my Lagom service 😞
For doing that need great refactoring (including Deadbolt). 😞
I tried to use the recommended Lagom service call composition for authentication and authorization. In this commit, I wrote draft authorization service of greeting using pac4j-jwt.
It seems the time has come to create lagom-pac4j 😂

[leleuj]

About the PlaySessionStore, you have two options in Play. See: https://github.com/pac4j/play-pac4j/wiki/Security-configuration#2-choosing-the-right-playsessionstore

If you want to create a new pac4j implementation, take a look at https://www.pac4j.org/docs/how-to-implement-pac4j-for-a-new-framework.html

[ihostage]

About the PlaySessionStore, you have two options in Play. See: https://github.com/pac4j/play-pac4j/wiki/Security-configuration#2-choosing-the-right-playsessionstore

Unfortunately, Lagom hasn't context and sessions. It's a framework for microservices and all requests are stateless. That's the problem about I wrote above. I can use Play filters for changing request before it handled by Lagom. But I can't access to Play Context or Play SessionStore from Lagom Service implementation.

If you want to create a new pac4j implementation, take a look at https://www.pac4j.org/docs/how-to-implement-pac4j-for-a-new-framework.html

Thanks, I read it earlier 😄 But I am not sure that this will be a full implementation. I think, that Lagom services and Pac4j indirect clients are incompatible. But also with direct clients, there can be restrictions. If you look at my commit, I do not use a DirectClient, I use Authorizer and Authenticator directly.

[leleuj]

OK. I see. Sure, the documentation is for a whole security framework, but in your case, you only need the direct clients.
The SessionStore does not make much sense in your case, maybe null or a NoOpSessionStore would be sufficient.
About your commit, this is specific to JWT authentication so I still think you could use direct clients for credentials extraction and profile building.

[ihostage]

Thanks, @leleuj !
I forced push commit where authentication/authorization implemented by DirectClient and Config. (HeaderClient + JwtAuthenticator + KeycloakOidcProfile + custom AuthorizationGenerator).
But two classes LagomWebContext and SecuredService not enough for a separate library on Pac4j family 😂

[leleuj]

I would say three classes with the Authorizers one.
I didn't know it but Lagom seems to be a pretty well-known framework (~ 2k stars on github.com). So I think it's worth to create a dedicated library if you are willing to.

I can create the lagom-pac4j repo in the pac4j organization if you are interested...

[ihostage]

I can create the lagom-pac4j repo in the pac4j organization if you are interested...

Of course interested 👍 We planned to create a repo lagom-pac4j in our organization taymyr, but I think that it will be better if repo will be created in the pac4j organization.

[leleuj]

Here it is: https://github.com/pac4j/lagom-pac4j

You have no push rights for now: you'll need to make PRs that I can review...

[ihostage]

Here it is: https://github.com/pac4j/lagom-pac4j

It's great 👍

You have no push rights for now: you'll need to make PRs that I can review...

Yes, of course. Please, create an initial commit with LICENSE or README, because I can't fork empty repository for creating PR. 😄

[leleuj]

Done

[leleuj]

Closing. Using lagom-pac4j instead.

[ihostage]

@leleuj will not be fixed? Does nobody use play-pac4j with DirectClient? 😄

[leleuj]

Many people use play-pac4j with a DirectClient, but I doubt that many people do that using Deadbolt also. At least, you're the first one to report the issue...

[ihostage]

I am lucky 😂
If I have free time, I will try to do a pull request to fix this issue.

[leleuj]

Great! Let's re-open it then if you are willing to fix it :-)

[eximius313]

@ihostage I'm also planning to use Play-Pac4J + Deadbolt, so big thumbs up for this ;)