https://kotlinlang.org logo
#http4k
Title
# http4k
a

Arnab

08/01/2022, 9:16 AM
Does anyone have a guide on how to implement OAuthPersistance? Or maybe an implementation that they are willing to share? I’m not a crypto/security person, so my knowledge here is limited. I’ve looked at this: https://github.com/http4k/http4k-by-example/tree/master/src/main/kotlin/verysecuresystems/oauth but this doesn’t seem like something that is recommended to have in production. Maybe if the tokenchecker was properly implemented, it is good enough?
d

dave

08/01/2022, 9:26 AM
The overall example is fine - but the main difference is that you won't want to expose the access token to the user in a cookie - you should provide some type of infrastructure which will swap the a user cookie (this can be as simple as a simple randomly generated code or as complicated as a signed JWT) for the backend access token.
That is why the InMemoryOAuthPersistence exists - it is something which needs to be reimplemented. The general patterns for developing a secure HTTP application aren't something that is in scope for the http4k docs - but something that you'd want to learn about from more appropriate resources.
a

Arnab

08/01/2022, 9:29 AM
I see. I knew I should have taken more cybersec classes in Uni 😄
22 Views