play-pac4j security library v9


I’m proud to announce the release of the play-pac4j security library v9 based on the new major version 4 of pac4j and Play framework 2.7.4.


Best regards,


Hi Jérôme, nice with Pac4j v4 out :- ). I’m interested in Pac4j together with Play — however play-pac4j seems to provide many things that conflict with Action:s and sessions my app has already / the way it already does things.

Do you know about any examples of how to use Pac4j, for OpenID Connect, without using play-pac4j? Or if you have advice about where to look?

I’d like to authenticate the user against say KeyCloak or Azure AD, get his/her email address and maybe profile link — and thereafter setup my own session, use my own authentication / authorization via my own Actions.

I found a RunClient test class, and RunKeycloakOidcClient and RunAzureAdClient and RunOkta etc — maybe this is a place where I can start? Looking at how to do things step by step, via RunClient plus the test classes, and then building my own Play endpoints and callbacks that do the same things?

(Or am I missing something, and I can in fact use play-pac4j in a “non-intrusive” way so I don’t need to change any Play Actions or add filters or edit how cookies & sessions work etcetera)


To secure an app, you have several options for play-pac4j with the Secure annotation/function and the SecurityFilter:

It should be enough in most cases, Though, pac4j is a security engine used in so many frameworks ( that you can also use it on your own.

A client is an authentication mechanism (indirect client for an external identity provider). So you can trigger the login process with:

KeycloakOidcClient client = new KeycloakOidcClient(config);
PlayWebContext context = new PlayWebContext(request, playSessionStore);
HttpAction action = (HttpAction) client.getRedirectionAction(context).get();
PlayHttpActionAdapter.INSTANCE.adapt(action, context);

For the callback endpoint (in the app after a sucessful login):

Optional<Credentials> credentials = client.getCredentials(context);
UserProfile profile = client.getUserProfile(credentials.get(), context).get();

You can also take a look at the manual tests Run*.

Best regards,

1 Like

Hi Jérôme, Using Pac4j directly looks a bit simpler / less-complicated than what I thought :- )

I’ll give that a try, in a week or so — or maybe play-pac4j on only some special login endpoint, and then, other endpoints could use my own secure annotations.

(Thanks for the reply. Sorry for my late reply — I got distracted by fixing some a bit urgent things in the app I’m developing + preparing a new release.)