Hi, I'm trying to integrate Authentic into a ktor application for authentication I've gone through the docs for using oauth2 and can roughly get something working. I'm assuming that what I would then need to do is insert the access token into my database, and check that the token is in the db? how should I then handle expiry & the refresh token? it does not explain this anywhere and I've tried searching around yet can find no such explanation anywhere else.

Is your question about Ktor's OAuth2 protocol implementation, or what you should do after receiving the access token in the callback handler?

I also have some doubts regarding the authentication process with Ktor. I’ve just started working with it, so it’s hard to pinpoint exactly what’s unclear. Personally, I decided to go with Zitadel (a competitor to Authentik), but I haven’t found a proper end-to-end explanation for integrating Zitadel with Ktor. For example, if you Google "Zitadel + Spring Boot", you’ll find plenty of results, but there’s not much available when you search for "Zitadel with Ktor". The integration should be more or less the same, though you still need to account for edge cases and implementation differences.

I haven’t found a proper end-to-end explanation for integrating Zitadel with Ktor.

yeah, I'm finding it hard to find a good end-to-end explanation of oauth2 in general that I can roughly translate to what ktor is doing.

For example, if you Google "Zitadel + Spring Boot", you’ll find plenty of results, but there’s not much available when you search for "Zitadel with Ktor".

I find I'm trying to avoid stuff to do with spring boot bc it's doing a lot of stuff in the background through libraries that isn't really explained, whereas I feel the process with ktor will be a bit more involved

Is your question about Ktor's OAuth2 protocol implementation, or what you should do after receiving the access token in the callback handler?

both, sort of I would expect that ktor's oauth2 protocol would also be able to handle things like • token refreshes • fetching webfinger data for a user • reading json web tokens from the oauth2 response • validating tokens • etc. I would also expect that it indicates how the token should be stored (store the entire token? don't store the token and validate the signature? etc.)