Creating Signed JWTs using Nimbus JOSE + JWT

30 November 2019 Kotlin

I’ve been using the Java library “Nimbus JOSE + JWT” to create JWTs recently. It has been pretty useful for playing around with uncommon JOSE algorithms such as ES256K and EdDSA. Considering that these are not supported out-of-the-box in .NET yet, being able to use another stack to generate test data has been invaluable.

So, this is one of those blog posts where I write down how to use the library for signature generation and validation for future Scott to reference once he inevitably forgets.

Read more

Ktor using OAuth 2.0 and IdentityServer4

01 February 2019 Kotlin

This article will show you how to configure a Kotlin Ktor application to get access tokens from IdentityServer4 using OAuth 2.0. These tokens can then be used to access an API on behalf of a user. We’ll be using JWTs as our access tokens. To find out how to authorize access to a Ktor API using JWTs, check out my past article “JSON Web Token Verification in Ktor using Kotlin and Java-JWT”.

Kotlin logo
Ktor logo
IdentityServer logo

Ktor OAuth Support

Currently, Ktor only supports OAuth which means our Ktor application can receive access tokens to talk to an API on behalf of the user, but it cannot find out who the user is. If we wanted to find out who the user is and to receive identity tokens, we would need OpenID Connect, which is currently unsupported...

Read more

JSON Web Token Verification in Ktor using Kotlin and Java-JWT

20 November 2017 Kotlin Last Updated: 01 February 2019
Ktor

In my previous article, we looked at how to get an access token and use it to access a protected resource, in Kotlin. Now we’re going to take a look at the other side of the story: how to validate an access token (in this case a structured JWT) before allowing access to the protected resource.

For token verification we’re going to:

  1. Get available public keys from a JWKS endpoint
  2. Parse the public key used to sign the receive JWT
  3. Verify the access token signature, issuer, and audience. This will also verify that the token hasn’t expired (the exp claim), that it was issued in the past (the iat claim), and that the token is allowed to be used (the nbf claim)

We’ll then use this logic to protect an API endpoint running on Ktor.

Read more

Experimenting with Kotlin and OAuth

15 November 2017 Kotlin
Kotlin

I’ve recently been picking up Kotlin and, since I work with authentication and authorization protocols on a daily basis, I used a basic OAuth scenario as my learning activity and thought I'd share my journey.

The scenario was to issue an OAuth request, parse the results, and then access a protected resource using the resulting token. This is not using any of the browser based grant types, instead just back end communication using the token endpoint and the client credentials grant type.

I’m not a Java developer, so this use of Kotlin has also been my first experience with that entire eco system. As a result...

Read more