Best way to implement authorization (not authentication)? The docs have a chapter „Authentication & Authorization“ but it feels like a lie, because it only talks about authentication afaics. I found this blog from 2020 where they create a new phase and add an interceptor to it to do authorization checks: https://www.ximedes.com/2020-09-17/role-based-authorization-in-ktor/ Would you recommend this or is there now a better way to implement authorization?

When I did this I created a

RouteScopedPlugin

which then hooks into the

on(AuthenticationChecked)

hook. If desired I can try to create a small example at some point and put it on GitHub.

Also, you can find an example here.

Thanks for the answers! Now that you pointed me to the sample, I even found the link to the sample in the ktor docs hidden under "Supported authentication types -> Custom". Also, I found a good explanation that uses the same way with

createRouteScopedPlugin

and

on(AuthenticationChecked)

and also uses the authenticated Principal, which is what I intended to do: https://medium.com/@JalalOkbi/role-based-authorization-with-ktor-from-the-ground-up-552f4a259d74 Thank again for putting me on the right track! I think I'll find my way from here ;-)