authenticateOAuth2

Signature

type Authenticator[T] = Credentials => Option[T]
def authenticateOAuth2[T](realm: String, authenticator: Authenticator[T]): AuthenticationDirective[T] 

Description

Wraps the inner route with OAuth Bearer Token authentication support using a given Authenticator[T]Authenticator<T> - function from Optional<ProvidedCredentials> to Optional<T>.

Provides support for extracting the so-called “Bearer Token” from the AuthorizationAuthorization HTTP Header, which is used to initiate an OAuth2 authorization. The directive also supports extracting the Bearer Token from URI query parameter access_token, as described in RFC 6750.

Warning

This directive does not implement the complete OAuth2 protocol, but instead enables implementing it, by extracting the needed token from the HTTP headers.

Given a function returning Some[T]a non emptyOptional<T> upon successful authentication and Nonean empty Optional<T> otherwise, respectively applies the inner route or rejects the request with a AuthenticationFailedRejectionAuthenticationFailedRejection rejection, which by default is mapped to an 401 Unauthorized response.

Longer-running authentication tasks (like looking up credentials in a database) should use the authenticateOAuth2Async variant of this directive which allows it to run without blocking routing layer of Apache Pekko HTTP, freeing it for other requests.

See Credentials and password timing attacks for details about verifying the secret.

For more information on how OAuth2 works see RFC 6750.

Example

Usage in code is exactly the same as authenticateBasic, with the difference that one must validate the token as OAuth2 dictates (which is currently not part of Apache Pekko HTTP itself).