How to auth

[SerVB]

It seems that the info in #8 (comment) is irrelevant: classes and functions are missing...

I want to make my own OAuth service to be used by the main service to verify requests.

[Wicpar]

Hi, i can pre-release a full OAuth server implementation i have been working on. It is not exactly maintainable enough to be production ready, but it is spec compliant. No resource server Library exists for ktor currently, only the client lib provided by ktor and the auth library provided my myndocs.

The scope of this library is only to provide a connector, the auth provider, to create the appropriate OpenAPI descriptor.

[SerVB]

Oh, thank you, that will be great. Can I have a look?

[Wicpar]

i got to separate the codebase from the main project first, it may take a few hours.

[Wicpar]

https://github.com/papsign/KtorOAuthServer/tree/master
Example usage coming soon.

[Wicpar]

https://github.com/papsign/KtorOAuthServer/tree/master/src/test/kotlin/com/papsign/oauth2/example
You need to implement the same functionality yourself, and preferably with database access.
If you use Exposed, you may need to implement the requestWrapper parameters with a database transaction
You have to register: The auth server with: Application.registerTestAuth()
And to handle the resource server call:

inline fun NormalOpenAPIRoute.oauth2(vararg scopes: OAuthScope, crossinline route: OpenAPIAuthenticatedRoute<APIPrincipal>.()->Unit = {}): OpenAPIAuthenticatedRoute<APIPrincipal> {
    return TestOpenAPIOAuthProvider(scopes.asList()).apply(this).apply {
        route()
    }
}

[Wicpar]

have you got it to work ?

[SerVB]

I haven't looked at it well; I'm planning to do it. However, at the first glance, it's easier for me to write my own auth server...

[Wicpar]

The OAuth2 spec is a real mess, the configuration you need here is simply to set up the persistence and login validation. Most of the work is done, the only thing missing is a reusable and modular login tunnel system, which is not part of the OAuth2 spec.
If you want to avoid too much work i recommend using a simpler system like JWT authentication. OAuth2 is a lot of work. It took me two entire weeks to understand the spec and implement it in its entirety to a usable state. What you have here is about 3 hours work to provide the persistence interface and the user login strategy, even less since you already have your persistence system setup.

I can provide you with an example on how to make a proper login tunnel, but the use-case is not fully fleshed out due to intricacies with cross domain access, iframes, and multiple authentication possibilities (ie password and other oauth login providers to choose from).

The idea is to make the library evolve to make it simpler to use, it is not refined yet.

I used to use the Ktor OAuth authentication, but that is meant to allow you to get data from a service like github or google, not a resource server authorisation to provide content yourself and it slowed the service by a lot (300ms instead of 5ms).

[SerVB]

Thank you, I'm not sure now that I want the same thing. I want just a simple server to generate access and refresh tokens. So maybe it won't be OAuth2-compliant...

about 3 hours work

I think I'll write my own server using this time, sorry.

[Wicpar]

Alright, JWT is usually the easiest way to handle the state of the session because you don't need an underlying persistence layer, and a lot of libraries already exist. You can then require the token in the API requests and use the default ktor authentication system for that, it even is supported by swagger UI.