What's your preferred way to handle auth in Ktor? I have a Ktor backend where I use Firebase for account management. From my KMP app I pass in the ID token in a header. This works, but since I am fairly new to building authentication I would like to explore alternatives. Tte ktor oauth module looks interesting, but the automatic redirect functionality seems to be aimed at webapps, rather than mobile apps. (please correct me if I am wrong)

I think it depends on the security requirements and the chosen authentication scheme. Do you have any problems with the current solution?

JWT, access + refresh token

@Aleksei Tirman [JB] no problem, really. It works for both Apple and Google sign in. Just looking to learn and see if I can move away from Firebase for my next app. 😁 @Hristijan I had that working for email/password when I started building, but how I do that with Google and Apple sign in? Do you know of any good examples?

Hey @Viktor Nyblom! 🙂 For a KMP app I would use an expect/actual implementation that delegates to the Firebase libraries on iOS and Android respectively. That is super easy to implement and gives you everything "for free"

You still have access to a user id (social provider id or however it's called) that you can create a JWT from, send that to the backend and associate it with a user

You can use Firebase UI on Android and iOS: https://firebase.google.com/docs/auth/android/firebaseui https://firebase.google.com/docs/auth/ios/firebaseui

Hey @hellman ! 👋 Yes, I have it working in several apps using Gitlive's Firebase Kotlin project (also made two tiny contributions to that). One app is pure Firebase, including Firestore. That just works. The other one has a Ktor backend where I use Firebase Auth to get an idToken, which I then pick up using Firebase Admin sdk server side. What I am curious about is alternatives to Firebase for the second case. Would be nice to just use OneTap sign in (or whatever it's called these days) and keep accounts on my server. 🤔 But I think @Hristijan just gave me a thread to pull on. 😊

Oh, my bad. Yeah, you can still get the JWT from Firebase Auth and use it in your backend. The tricky part is doing the refresh. All of that is handled behind the scenes by the Firebase SDK. If you want to build it from scratch, including the backend parts, just use the JWT plugin for Ktor (both client and server) and implement the actual sign in by sending a code to the user out-of-bounds (email or SMS). That's if you want to build the whole thing yourself... there are drop-in solutions for that (like Firebase) 🙂

For anyone curious, this is an old template project that uses the same principle that I'm using today. Don't even know if it works anymore, and things have changed a bit since I created it. But the serverside firebase files are basically what I want to get away from. (just re-inited the repo to remove secrets from history). But I'll check out the Ktor docs on JWT and see if I can cook something up. =) https://github.com/Qw4z1/KmpTemplate

@Serializable
data class SignInUserWithSocialResponseModel(
    @SerialName("avatar") var avatar: String? = null,
    @SerialName("tokenExpiryDate") val tokenExpiryDate: Long? = null,
    @SerialName("email") var email: String,
    @SerialName("socialProvider") val socialProvider: String,
    @SerialName("providerUserId") val providerUserId: String,
)

this is what i receive in my ktor backend path i validate the expiration date, you can also pass the social provider access and refresh token and validate them with their respective java sdks then i create a user based on the email and providerUserId then i create an access token with refresh token (JWT) based on the user’s details access token lives 30 days while refresh lives 35 days after that i have also ktor as a client that just does the refreshment of tokens