Is there a recommended way to to authorization with oauth, not just authentication? I've got a web app for which users must authenticate using oauth, but I also want to make sure their user account is flagged as an admin.

If your needs are relatively simple, you could issue a JWT token with a

roles

claim. Otherwise just associate your authz info with the user in your backend.

I currently associate the authz info with the user on the backend by giving the user an

admin

role. Problem is how to easily require that for a set of routes in Ktor. I want the ease of wrapping some routes in an

authenticate("admin") {}

block, but am not sure how to combine oauth + authz into a single auth provider.

I haven't tried it, but I think you can give each authentication provider a name. So install two

Authentication

providers, one which validates admin role and one which doesn't. Then protect each route via the appropriate provider e.g.:

authenticate("oauthWithAdmin") {
   ... admin routes here
}

authenticate("oauth") {
  ... non-admin routes here
}

Your install might look something like:

install(Authentication) {
    oauth("oauthWithAdmin") {
        ...
    }
}
install(Authentication) {
    oauth("oauth") {
        ...
    }
}

Sorry, had this sitting in draft form: yeah, you can, and that would be ideal. My question is how to

validate admin role

in the oauth provider. There isn't a hook to do "other stuff" after the oauth completes.

I see what you mean -- oauth doesn't have a

validate

that returns a principal like jwt does.

Ahh, nice. Thanks!