Kotlin

I’ve been using the Java library “Nimbus JOSE + JWT” to create JWTs recently. It has been pretty useful for playing around with uncommon JOSE algorithms such as ES256K and EdDSA. Considering that these are not supported out-of-the-box in .NET yet, being able to use another stack to generate test data has been invaluable.

So, this is one of those blog posts where I write down how to use the library for signature generation and validation for future Scott to reference once he inevitably forgets.

This article will show you how to configure a Kotlin Ktor application to get access tokens from IdentityServer4 using OAuth 2.0. These tokens can then be used to access an API on behalf of a user. We’ll be using JWTs as our access tokens. To find out how to authorize access to a Ktor API using JWTs, check out my past article “JSON Web Token Verification in Ktor using Kotlin and Java-JWT”.

Ktor OAuth Support

Currently, Ktor only supports OAuth which means our Ktor application can receive access tokens to talk to an API on behalf of the user, but it cannot find out who the user is. If we wanted to find out who the user is and to receive identity tokens, we would need OpenID Connect, which is currently unsupported.

In my previous article, we looked at how to get an access token and use it to access a protected resource, in Kotlin. Now we’re going to take a look at the other side of the story: how to validate an access token (in this case a structured JWT) before allowing access to the protected resource.

For token verification we’re going to:

I’ve recently been picking up Kotlin and, since I work with authentication and authorization protocols on a daily basis, I used a basic OAuth scenario as my learning activity and thought I'd share my journey.

The scenario was to issue an OAuth request, parse the results, and then access a protected resource using the resulting token. This is not using any of the browser based grant types, instead just back end communication using the token endpoint and the client credentials grant type.

I’m not a Java developer, so this use of Kotlin has also been my first experience with that entire eco system. As a result, this article will include how to set up a new project, mainly for my own benefit.