https://kotlinlang.org logo
Join Slack
Powered by
Hi, I am quite confused by the google oauth exampl...
# ktor
a
Hi, I am quite confused by the google oauth example: https://github.com/ktorio/ktor-documentation/blob/3.0.1/codeSnippets/snippets/auth[…]-google/src/main/kotlin/com/example/oauth/google/Application.kt 1. Shouldn't it put the routes for 
/home
and 
/{path}
inside the 
authenticate
block? If the session is now 
null
it won't return even. 2. The 
redirects
is a 
MutableMap
which isn't thread safe. And, it'll keep growing. I understand that it is an example, but it'd be wise to add some big warnings 3. Is there a way to implement the 
refreshToken
flow via the OAuth Authentication Provider? 4. Am I correct that for the OAuth2 flow the access_token will be set in a session (typically) and in that sense it isn't necessary to protect the routes with the 
authenticate
block? Because I don't assume the 
authenticate
block will keep checking the access_token validity. Looking at the source code in the 
onAuthenticate
implementation, it seems that it always does the callback there and add the principal in the call. So that means in fact that the general explanation for Authentication (putting protected routes under 
authenticate
) is in fact not correct for OAuth
a
> 1. Shouldn't it put the routes for 
/home
and 
/{path}
inside the 
authenticate
block? If the session is now 
null
it won't return even. The authentication is done once, and if successful, the data about the user is saved into a session. If those routes were inside the 
authenticate
block the authentication would happen for each request. > 2. The 
redirects
is a 
MutableMap
which isn't thread-safe. And, it'll keep growing. I understand that it is an example, but it'd be wise to add some big warnings I agree. You can file an issue about that. > 3. Is there a way to implement the 
refreshToken
flow via the OAuth Authentication Provider? What do you mean by that? > 4. Am I correct that for the OAuth2 flow the access_token will be set in a session (typically) and in that sense it isn't necessary to protect the routes with the 
authenticate
block? Yes
a
Great thanks!
3 Views
Open in Slack
PreviousNext
Powered by