https://kotlinlang.org logo
#ktor
Title
r

rharter

11/27/2018, 8:41 PM
Is there a recommended way to to authorization with oauth, not just authentication? I've got a web app for which users must authenticate using oauth, but I also want to make sure their user account is flagged as an admin.
r

rocketraman

11/27/2018, 8:44 PM
If your needs are relatively simple, you could issue a JWT token with a
roles
claim. Otherwise just associate your authz info with the user in your backend.
r

rharter

11/27/2018, 8:54 PM
I currently associate the authz info with the user on the backend by giving the user an
admin
role. Problem is how to easily require that for a set of routes in Ktor. I want the ease of wrapping some routes in an
authenticate("admin") {}
block, but am not sure how to combine oauth + authz into a single auth provider.
I'd rather not have to start all calls with
isAdmin(user)
r

rocketraman

11/27/2018, 9:00 PM
I haven't tried it, but I think you can give each authentication provider a name. So install two
Authentication
providers, one which validates admin role and one which doesn't. Then protect each route via the appropriate provider e.g.:
Copy code
authenticate("oauthWithAdmin") {
   ... admin routes here
}

authenticate("oauth") {
  ... non-admin routes here
}
Your install might look something like:
Copy code
install(Authentication) {
    oauth("oauthWithAdmin") {
        ...
    }
}
install(Authentication) {
    oauth("oauth") {
        ...
    }
}
@rharter did you get it working?
r

rharter

11/28/2018, 3:17 PM
Sorry, had this sitting in draft form: yeah, you can, and that would be ideal. My question is how to
validate admin role
in the oauth provider. There isn't a hook to do "other stuff" after the oauth completes.
r

rocketraman

11/28/2018, 3:22 PM
I see what you mean -- oauth doesn't have a
validate
that returns a principal like jwt does.
Can you wrap all your admin routes with another
handle
route that does the relevant check?
Here is an example that uses
intercept
to verify admin privileges for a route: https://ktor.io/servers/features/routing.html#interception
r

rharter

11/28/2018, 5:16 PM
Ahh, nice. Thanks!
7 Views