A modern programming language that makes developers happier.

kotlinlang

Does anyone have a guide on how to implement OAuthPersistance? Or maybe an implementation that they are willing to share? I’m not a crypto/security person, so my knowledge here is limited. I’ve looked at this:
<https://github.com/http4k/http4k-by-example/tree/master/src/main/kotlin/verysecuresystems/oauth>

but this doesn’t seem like something that is recommended to have in production. Maybe if the tokenchecker was properly implemented, it is good enough?

The overall example is fine - but the main difference is that you won't want to expose the access token to the user in a cookie - you should provide some type of infrastructure which will swap the a user cookie (this can be as simple as a simple randomly generated code or as complicated as a signed JWT) for the backend access token.

That is why the InMemoryOAuthPersistence exists - it is something which needs to be reimplemented. The general patterns for developing a secure HTTP application aren't something that is in scope for the http4k docs - but something that you'd want to learn about from more appropriate resources.

I see. I knew I should have taken more cybersec classes in Uni :smile: