https://kotlinlang.org logo
Join Slack
Powered by
Hello Everybody, I'm struggling with `Auth` clien...
# ktor
d
Hello Everybody, I'm struggling with 
Auth
client plugin of Ktor. Having a configuration of the plugin as follows
Copy code
Auth {
        bearer {
            loadTokens {
                tokenProvider.getToken()
            }
            refreshTokens {
                tokenProvider.doRefresh()
            }
            sendWithoutRequest {
                // TODO: add some logic here?
                false
            }
        }
}
It is happening to me, that when the server responds with 401 code (first call, so there are no token neither refresh token yet), then the server is reached again with the same request before failing. The plugin intercepts the 401 response, and ends sending another request and I don't know the reason I can see in the logs the message
Copy code
io.ktor.client.plugins.auth.Auth: Sending new request to https://...
It only does a single call if I return 
true
in the 
sendWithoutRequest
callback. Also, worth noting that the endpoint I'm trying to reach right now is precisely my token provider login call with the wrong credentials. So for that endpoint I don't think should be enabled the 
Auth
plugin at all. Is there a way to skip the plugin for those endpoints?
a
Unfortunately, there is no way to skip the described behavior happening on 401 response if the 
Auth
plugin is installed. If that endpoint doesn't require the credentials, why does it send a 401 response?
d
Just out of curiosity, what would be proper response code for invalid credentials? It is the authentication endpoint, that responds 401 to invalid credentials. Should it be better to receive 403 Unauthorized, right?
a
You said:
So for that endpoint I don't think should be enabled the 
Auth
plugin at all.
What problem causes sending the credentials?
d
Well It's first app open, there are still no tokens stored but I have configured the 
Auth
plugin for the whole 
HttpClient
When I perform the 
login
request and the server responds with 
401
to an incorrect password/name combination (maybe that's wrong as you pointed out) the 
Auth
plugin just resends the original request to the server. Thus for one single API call, the plugin is replaying the original request (as there are additional tokens to be added). Nevermind, talking to someone just made me realize that server should be answering 
403
to wrong/invalid credentials of the user. Thanks for your time, I'll try to talk to backend and see if that can be changed on their side
Though having some extra reading, seems that 
403 Forbidden
wouldn't be a good response either, that's used for lack of rights to access a resource not for bad credentials. So now I don't know.
99 Views
Open in Slack
PreviousNext
Powered by