The latest articles on DEV Community by Jan Stoltman (@janstoltman). https://dev.to/janstoltman https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F379517%2Fcfff792b-f6c7-41ca-aaed-658de6de07db.jpeg https://dev.to/janstoltman en Jan Stoltman Tue, 11 Aug 2020 21:25:35 +0000 https://dev.to/janstoltman/ktor-setting-up-jwt-1n4l https://dev.to/janstoltman/ktor-setting-up-jwt-1n4l <p><a href="https://jwt.io/">JWT</a> can be a tricky thing to implement yourself, fortunately you don't really have to do that, it's much easier, safer and faster to use one of many existing libraries. </p> <p>Most frameworks have such libraries, and so does <a href="https://ktor.io/servers/features/authentication/jwt.html">Ktor</a>. In this post I would like to save the knowledge on how to quickly setup basic JWT flow in your app. </p> <h1> 0. Add gradle import and install feature </h1> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">implementation</span> <span class="s2">"io.ktor:ktor-auth-jwt:$ktor_version"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code> <span class="nf">install</span><span class="p">(</span><span class="nc">Authentication</span><span class="p">)</span> <span class="p">{</span> <span class="nf">jwt</span> <span class="p">{</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h1> 1. Setup secret and config </h1> <p>Preferably you should use standard <code>application.conf</code> file to store configuration info. If so, just add your cypher's secret and other jwt related configs there (don't push it to control version system)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">jwt</span> { <span class="s2">"SECRET"</span> = <span class="s2">"123"</span> <span class="s2">"VALIDITY_MS"</span> = <span class="s2">"36000000"</span> // <span class="m">10</span> <span class="n">Hours</span> <span class="s2">"ISSUER"</span> = <span class="s2">"softwaret"</span> <span class="s2">"REALM"</span> = <span class="s2">"softwaret.kpdf"</span> } </code></pre> </div> <h1> 2. Prepare token generation method </h1> <p>Pick user-related data that you want to store in token and then prepare token generation method (I use just login in my example)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code><span class="k">fun</span> <span class="nf">generateToken</span><span class="p">(</span><span class="n">login</span><span class="p">:</span> <span class="nc">Login</span><span class="p">):</span> <span class="nc">String</span> <span class="p">=</span> <span class="nc">JWT</span><span class="p">.</span><span class="nf">create</span><span class="p">()</span> <span class="p">.</span><span class="nf">withSubject</span><span class="p">(</span><span class="s">"Authentication"</span><span class="p">)</span> <span class="p">.</span><span class="nf">withIssuer</span><span class="p">(</span><span class="n">issuer</span><span class="p">)</span> <span class="p">.</span><span class="nf">withClaim</span><span class="p">(</span><span class="s">"login"</span><span class="p">,</span> <span class="n">login</span><span class="p">.</span><span class="n">value</span><span class="p">)</span> <span class="p">.</span><span class="nf">withExpiresAt</span><span class="p">(</span><span class="nf">obtainExpirationDate</span><span class="p">())</span> <span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="n">algorithm</span><span class="p">)</span> <span class="k">private</span> <span class="k">fun</span> <span class="nf">obtainExpirationDate</span><span class="p">()</span> <span class="p">=</span> <span class="nc">Date</span><span class="p">(</span><span class="nc">System</span><span class="p">.</span><span class="nf">currentTimeMillis</span><span class="p">()</span> <span class="p">+</span> <span class="n">tokenExpirationPeriodMs</span><span class="p">)</span> <span class="err">#</span> <span class="n">expiration</span> <span class="n">period</span> <span class="n">from</span> <span class="n">config</span> <span class="n">file</span> </code></pre> </div> <h1> 3. Pass token to user after login </h1> <p>Return the new token in any way you like and let client set it as its <code>Authorization</code> header with value <code>Bearer $token</code> (eg <code>Authorization: Bearer 123</code>).</p> <h1> 4. Setup token validation </h1> <p>Add body to installed JWT application's feature<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code> <span class="nf">jwt</span> <span class="p">{</span> <span class="n">realm</span> <span class="p">=</span> <span class="s">"jwt.REALM"</span> <span class="err">#</span><span class="n">realm</span> <span class="n">from</span> <span class="n">config</span> <span class="n">file</span> <span class="nf">verifier</span><span class="p">(</span><span class="nf">buildJwtVerifier</span><span class="p">())</span> <span class="nf">validate</span> <span class="p">{</span> <span class="n">jwtCredential</span> <span class="p">-&gt;</span> <span class="nf">validateCredential</span><span class="p">(</span><span class="n">jwtCredential</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Verifier</strong> should check whether token is correct and can be trusted, fortunately the framework takes care of this for us, just create a function which build the verifier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code><span class="k">fun</span> <span class="nf">buildJwtVerifier</span><span class="p">()</span> <span class="p">=</span> <span class="nc">JWT</span><span class="p">.</span><span class="nf">require</span><span class="p">(</span><span class="nc">Algorithm</span><span class="p">.</span><span class="nc">HMAC512</span><span class="p">(</span><span class="s">"jwt.SECRET"</span><span class="p">))</span> <span class="err">#</span> <span class="n">secret</span> <span class="n">from</span> <span class="n">config</span> <span class="n">file</span> <span class="p">.</span><span class="nf">withIssuer</span><span class="p">(</span><span class="n">issuer</span><span class="p">)</span> <span class="err">#</span> <span class="n">issuer</span> <span class="n">from</span> <span class="n">config</span> <span class="n">file</span> <span class="p">.</span><span class="nf">build</span><span class="p">()</span> </code></pre> </div> <p><strong>Validator</strong> should check whether any user (or any other entity in your app) matches the passed data (login in my example) and sets it as the call's principle. This principle with be later available for any call handling method which requires authentication, so that one can easily check wich user asked about data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code><span class="k">fun</span> <span class="nf">validateCredential</span><span class="p">(</span><span class="n">jwtCredential</span><span class="p">:</span> <span class="nc">JWTCredential</span><span class="p">)</span> <span class="p">=</span> <span class="k">if</span> <span class="p">(</span><span class="nf">userByLoginExists</span><span class="p">(</span><span class="n">jwtCredential</span><span class="p">.</span><span class="n">payload</span><span class="p">.</span><span class="nf">getClaim</span><span class="p">(</span><span class="s">"login"</span><span class="p">))</span> <span class="p">{</span> <span class="nc">JWTPrincipal</span><span class="p">(</span><span class="n">jwtCredential</span><span class="p">.</span><span class="n">payload</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">null</span> <span class="p">}</span> </code></pre> </div> <h1> 5. Put any route which requires authentication inside <code>authenticate</code> block </h1> <p>Just wrap any route in <code>authenticate</code> lambda and it will easily handle JWT authentication and return 401 if token is invalid.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code><span class="nf">authenticate</span> <span class="p">{</span> <span class="k">get</span><span class="p">(</span><span class="s">"/authentication"</span><span class="p">)</span> <span class="p">{</span> <span class="n">call</span><span class="p">.</span><span class="nf">respond</span><span class="p">(</span><span class="n">message</span> <span class="p">=</span> <span class="s">"Authentication is valid!"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And that's it! Happy JWT-ing in the future!</p> <p><em>Real life code example of JWT implementation can by found here: <a href="//github.com/Softwaret/kpdf">github.com/Softwaret/kpdf</a></em></p> kotlin jwt ktor recipe