You are viewing the documentation for the 2.8.x release series. The latest stable release series is 3.0.x.


OAuth is a simple way to publish and interact with protected data. It’s also a safer and more secure way for people to give you access. For example, it can be used to access your users’ data on Twitter.

There are two very different versions of OAuth: OAuth 1.0 and OAuth 2.0. Version 2 is simple enough to be implemented easily without library or helpers, so Play only provides support for OAuth 1.0.


To use OAuth, first add ws to your build.sbt file:

libraryDependencies ++= Seq(

§Required Information

OAuth requires you to register your application to the service provider. Make sure to check the callback URL that you provide, because the service provider may reject your calls if they don’t match. When working locally, you can use /etc/hosts to fake a domain on your local machine.

The service provider will give you:

§Authentication Flow

Most of the flow will be done by the Play library.

  1. Get a request token from the server (in a server-to-server call)
  2. Redirect the user to the service provider, where he will grant your application rights to use his data
  3. The service provider will redirect the user back, giving you a /verifier/
  4. With that verifier, exchange the /request token/ for an /access token/ (server-to-server call)

Now the /access token/ can be passed to any call to access protected data.

More details on OAuth’s process flow are available at The OAuth Bible.



GET     /twitter/homeTimeline controllers.Twitter.homeTimeline(request: Request)
GET     /twitter/auth         controllers.Twitter.auth(request: Request)


import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import javax.inject.Inject;
import play.libs.oauth.OAuth;
import play.libs.oauth.OAuth.ConsumerKey;
import play.libs.oauth.OAuth.OAuthCalculator;
import play.libs.oauth.OAuth.RequestToken;
import play.libs.oauth.OAuth.ServiceInfo;
import play.mvc.Controller;
import play.mvc.Http;
import play.mvc.Result;

public class Twitter extends Controller {
  static final ConsumerKey KEY = new ConsumerKey("...", "...");

  private static final ServiceInfo SERVICE_INFO =
      new ServiceInfo(

  private static final OAuth TWITTER = new OAuth(SERVICE_INFO);

  private final WSClient ws;

  public Twitter(WSClient ws) { = ws;

  public CompletionStage<Result> homeTimeline(Http.Request request) {
    Optional<RequestToken> sessionTokenPair = getSessionTokenPair(request);
    if (sessionTokenPair.isPresent()) {
      return ws.url("")
          .sign(new OAuthCalculator(Twitter.KEY, sessionTokenPair.get()))
          .thenApply(result -> ok(result.asJson()));
    return CompletableFuture.completedFuture(redirect(routes.Twitter.auth()));

  public Result auth(Http.Request request) {
    Optional<String> verifier = request.queryString("oauth_verifier");
    Result result =
            .filter(s -> !s.isEmpty())
                s -> {
                  RequestToken requestToken = getSessionTokenPair(request).get();
                  RequestToken accessToken = TWITTER.retrieveAccessToken(requestToken, s);
                  return redirect(routes.Twitter.homeTimeline())
                      .addingToSession(request, "token", accessToken.token)
                      .addingToSession(request, "secret", accessToken.secret);
                () -> {
                  String url = routes.Twitter.auth().absoluteURL(request);
                  RequestToken requestToken = TWITTER.retrieveRequestToken(url);
                  return redirect(TWITTER.redirectUrl(requestToken.token))
                      .addingToSession(request, "token", requestToken.token)
                      .addingToSession(request, "secret", requestToken.secret);

    return result;

  private Optional<RequestToken> getSessionTokenPair(Http.Request request) {
    return request
        .map(token -> new RequestToken(token, request.session().get("secret").get()));

Note: OAuth does not provide any protection against MITM attacks. This example shows the OAuth token and secret stored in a session cookie – for the best security, always use HTTPS with defined.

Next: Integrating with Akka

Found an error in this documentation? The source code for this page can be found here. After reading the documentation guidelines, please feel free to contribute a pull request. Have questions or advice to share? Go to our community forums to start a conversation with the community.