Hello,
What is the difference between the refresh...
# ktorf
Farid Benhaimoud
07/13/2023, 5:57 PMHello,
What is the difference between the refreshToken in loadTokens and refreshTokens block? And is there a sample project where this is use in kotlin multiplatform mobile? With for example public endpoints and enpoints that need authorization
Copy code
install(Auth) {
bearer {
loadTokens {
BearerTokens(accesToken = "abc123", refreshToken = "xyz111")
}
refreshTokens { // this: RefreshTokensParams
// Refresh tokens and return them as the 'BearerTokens' instance
BearerTokens(accesToken = "def456", refreshToken = "xyz111")
}
}
}s
s3rius
07/13/2023, 6:29 PMWhat is the difference between the refreshToken in loadTokens and refreshTokens block?There's no difference. The
loadTokensrefreshTokensclientoldTokens_bearer_ *{*loadTokens *{* tokenStorage.load() *} // simply load existing tokens if available*refreshTokens *{*// use the given client to get new tokens (optional)val response = client.submitForm(url = "$_baseUrl_/api/oauth/token",formParameters = Parameters.build *{*append("grant_type", "refresh_token")append("client_id", "my client id")append("refresh_token", oldTokens!!.refreshToken)*}*,encodeInQuery = false,block = *{*_accept_(ContentType.Application.Json)})val content = response.body<OAuthResponse>() // TODO: error handlingval tokens = BearerTokens(accessToken = content.token, refreshToken = content.refresh_token)tokenStorage.store(tokens) // remember tokens (optional)tokens}}tokenStoragef
Farid Benhaimoud
07/13/2023, 6:31 PMSo if loadtokens fails it automatically calls refreshtokens block?
s
s3rius
07/13/2023, 6:33 PMAFAIK refreshTokens is only called when a request is made, 401 is returned and ktor determines that it needs to update the credentials. If loadTokens returns null, ktor will simply not be able to attach the token to any request. It will still send the request and get a response (likely a 401).
f
Farid Benhaimoud
07/13/2023, 6:35 PMI was kind of confused because loadtokens has also a field refreshtoken. But I guess the refreshTokens block is called when refreshtoken in the loadtokens block fails and you have to re authenticate under the hood
s
s3rius
07/13/2023, 6:36 PMoooh do you mean this?
Copy code
loadTokens {
refreshTokens { ... } <--
...
}f
Farid Benhaimoud
07/13/2023, 6:37 PMNo this
Copy code
loadTokens {
BearerTokens(accesToken = "abc123", refreshToken = "xyz111")
}s
s3rius
07/13/2023, 6:39 PMThat doesn't belong to loadTokens, but is part of the BearerTokens object.
In OAuth, usually you keep the accessToken and refreshToken together. BearerTokens is just a holder object that allows you to pass both of these tokens around between loadTokens and refreshTokens.
You can access the latest BearerToken inside refreshTokens (like I do in the sample code), and use the refreshToken from there.
f
Farid Benhaimoud
07/13/2023, 6:41 PMAh ok. Thanks for your help 👍.
🙌 1
Farid Benhaimoud
07/13/2023, 8:27 PMI have one more question. How can I differentiate between private and public urls?
Farid Benhaimoud
07/13/2023, 8:35 PMI think I got it
Copy code
sendWithoutRequest { request ->
//TODO use public or private in your endpoints
request.url.encodedPath.contains("login") || request.url.encodedPath.contains("signup")
}s
s3rius
07/13/2023, 8:53 PMYep, that's one way. Another would be to use an attribute to "tag" requests that should be authorized:
Copy code
// helper functions
val AuthAttributeKey = AttributeKey<Boolean>("WantToAuthorize")
fun HttpRequestBuilder.authorize() = attributes.put(AuthAttributeKey, true)
// configuration
bearer {
...
sendWithoutRequest { it.attributes.getOrNull(OAuth.AuthAttributeKey) == true }
}
// example of how tell Ktor to add authorization:
client.get<String>("some/url") { authorize() }🙌 1
13 Views