Users, Tokens and Passwords

Controllers: Basics | Use | Config | Service Requests | Users & Tokens

Users and Tokens

Users in core3 are represented with only two bits of information, the user ID and the user's permissions:

UserTokenBase

trait UserTokenBase {
  def permissions: Seq[String]
  def userID: String
}

Currently, two authentication providers are supported and they have their own user token implementations:

Auth0UserToken

class Auth0UserToken(
  val idToken: String,
  val accessToken: String,
  val delegationData: Option[JsValue],
  val profile: JsValue
) extends UserTokenBase {
  override val permissions: Vector[String] = ...
  override val userID: String = ...
  val delegationIdToken: String = ...
}

LocalAuthUserToken

class LocalAuthUserToken(
  val userID: String,
  val permissions: Seq[String],
  val profile: JsValue,
  val sessionToken: String
) extends UserTokenBase

An example of extracting user profile data from a token

import core3.security.LocalAuthUserToken

case class UserData(
  name: String,
  permissions: Seq[String]
)

object UserData {
  def apply(token: LocalAuthUserToken): UserData = {
    val firstName = (token.profile \ "first_name").asOpt[String].getOrElse("-")
    val lastName = (token.profile \ "last_name").asOpt[String].getOrElse("-")

    new UserData(name = s"$firstName $lastName", token.permissions)
  }
}

Passwords and Local Auth

Local user authentication and authorization is based on the LocalUser for storage and it uses PBKDF2 for hashing passwords. The methods doing the hashing and verification can be found in the core3.security package object.

Warning: Make sure you select sensible values for the PBKDF2 parameters. This post can be a good starting point.

Hashing Configuration

The parameters are usually provided via the service/client controller config.