I m trying to set up oauth but seemingly after the first req kotlinlang #ktor

I'm trying to set up oauth but seemingly after the...

Kaj Koivunen

05/03/2023, 2:31 PM

I'm trying to set up oauth but seemingly after the first request the app forgets the user is supposed to be logged in. I'm using the pre-generated example oauth code like so:

Copy code

fun Application.configureSecurity() {

    authentication {
        oauth("auth-oauth-discord") {
            urlProvider = { "http://[redacted]/callback" }
            providerLookup = {
                OAuthServerSettings.OAuth2ServerSettings(
                    name = "discord",
                    authorizeUrl = "<https://discord.com/oauth2/authorize>",
                    accessTokenUrl = "<https://discord.com/api/oauth2/token>",
                    requestMethod = <http://HttpMethod.Post|HttpMethod.Post>,
                    clientId = [redacted],
                    clientSecret = [redacted],
                    defaultScopes = listOf("identify")
                )
            }
            client = HttpClient(Apache)
        }
    }
    data class MySession(val count: Int = 0)

    install(Sessions) {
        cookie<MySession>("MY_SESSION") {
            cookie.extensions["SameSite"] = "lax"
        }
        cookie<UserSession>("USER_SESSION")
    }
    routing {
        authenticate("auth-oauth-discord") {
            get("login") {
                call.respondRedirect("/callback")
            }

            get("/callback") {
                val principal: OAuthAccessTokenResponse.OAuth2? = call.authentication.principal()
                call.sessions.set(UserSession(principal?.accessToken.toString()))
                call.respondRedirect("/test")
            }

            get("/test") {
                call.respondText("It works.")
            }
        }
    }
}

data class UserSession(val accessToken: String) : Principal

I can see in the console that the auth succeeds for

/callback

, but when it redirects to

/test

, the auth suddenly fails and I get thrown back to the oauth consent page. Why?

Rustam Siniukov

05/03/2023, 3:44 PM

Hey. You should move

/test

route from

authenticate("auth-oauth-discord") { ... }

provider to some other. For example, you may need to register session auth provider and use it

Kaj Koivunen

05/03/2023, 4:33 PM

Okay, I see, it's just incredibly confusing when all other auth providers use the

authenticate

function to mark routes that require authentication but oauth uses it completely differently, just to mark the routes used in the authentication itself. Even the documentation for other providers states without fail "After configuring the _____ provider, you can protect specific resources in our application using the authenticate function." I feel like they should have named the

authenticate

for oauth something else, maybe just

oauth

because it servers a completely different purpose.

Kaj Koivunen

05/03/2023, 4:35 PM

It also doesn't help that the example code for oauth doesn't do anything you'd normally do with oauth, making it look even more like it should work the same way as other auths

Rustam Siniukov

05/03/2023, 4:53 PM

Yes, I agree. You can create a ticket and we will rename it in the next major release.

6 Views

Open in Slack

Previous Next