KTOR-9244 Update client auth and document provider selection

[vnikolova]

Description:

• Document how providers are selected when one or more are installed.
• Fix file formatting, grammar and language in client-auth and client-bearer-auth.
• Add Add dependencies sections in all client auth subtopics.
• Add a test in the google oauth sample using MockEngine.

Relates issues:

KTOR-9244 Documentation for Auth/Bearer: Make BearerAuthProvider detect disguised Bearer scheme
KTOR-6591 MockEngine: Example of testing client with bearer auth
KTOR-8022 Show how to add dependencies in client auth topics
KTOR-8846 Document refreshTokens behavior in multiple parallel requests

[coderabbitai]

Walkthrough

Added test dependencies and a new test verifying bearer token refresh behavior in the OAuth Google authentication example. Updated client authentication documentation across multiple topic files to improve organization, clarity, and provide standardized examples for bearer, basic, and digest authentication methods.

Changes

Cohort / File(s)	Summary
Build and Test Configuration codeSnippets/snippets/client-auth-oauth-google/build.gradle.kts, codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt	Added test-scoped junit and ktor-client-mock dependencies. Created new test file demonstrating bearer token refresh behavior when multiple authentication providers are present, using MockEngine to simulate 401 responses and verify correct token refresh flow.
Client Authentication Documentation topics/client-auth.md, topics/client-basic-auth.md, topics/client-bearer-auth.md, topics/client-digest-auth.md	Updated client authentication topic files with improved organization, restructured sections with descriptive headings instead of numbered steps, integrated shared dependency installation content, expanded examples, and clarified token handling flows. Bearer auth topic underwent substantial rework including OAuth 2.0 flow expansion and token refresh mechanism documentation.
Reference Documentation topics/lib.topic	Changed tip block markup from paragraph to tip element and updated wording for artifact reference guidance.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• KTOR-9153 Fix wrong code block lines and update wording in client-bearer-auth.md #728: Concurrent modifications to client-bearer-auth.md documentation with overlapping rewrites of examples, code blocks, and structural reorganization.

Suggested reviewers

• Stexxe
• osipxd
• marychatte

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: updating client authentication documentation and documenting provider selection behavior.
Description check	✅ Passed	The description relates to the changeset by listing all major modifications: documentation updates, dependency sections, and test additions across multiple files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch vnikolova/KTOR-9244

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can enable review details to help with troubleshooting, context usage and more.

Enable the reviews.review_details setting to include review details such as the model used, the time taken for each step and more in the review comments.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt (1)

44-58: Consider closing the HttpClient after use.

While less critical for tests with MockEngine, closing the client is good practice to demonstrate proper resource management in sample code.

♻️ Suggested improvement

-        val client = HttpClient(engine) {
-            install(Auth) {
-                bearer {
-                    loadTokens {
-                        BearerTokens("invalid", "refresh")
-                    }
-
-                    refreshTokens {
-                        BearerTokens("valid", "refresh")
-                    }
-                }
-            }
-        }
-        val response = client.get("https://test.example")
-        assertEquals(HttpStatusCode.OK, response.status)
+        val client = HttpClient(engine) {
+            install(Auth) {
+                bearer {
+                    loadTokens {
+                        BearerTokens("invalid", "refresh")
+                    }
+
+                    refreshTokens {
+                        BearerTokens("valid", "refresh")
+                    }
+                }
+            }
+        }
+        client.use {
+            val response = it.get("https://test.example")
+            assertEquals(HttpStatusCode.OK, response.status)
+        }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt`
around lines 44 - 58, The HttpClient instance named client in the test is not
closed; update the test to properly dispose of it after use by invoking
client.close() or using the client's use/auto-close pattern around the request
so HttpClient resources are released; locate the HttpClient(...) block and the
subsequent client.get call and ensure the client is closed afterward (e.g., call
client.close() or wrap client creation in a use scope).

topics/client-auth.md (1)

174-176: Consider varying bullet sentence openings for smoother scanability.

All three bullets start with “When”, which reads a bit repetitive.

✍️ Suggested wording tweak

-* When the user logs out.
-* When credentials or tokens stored by your application change.
-* When you need to force providers to reload the authentication state on the next request.
+* After a user logs out.
+* If credentials or tokens stored by your application change.
+* To force providers to reload the authentication state on the next request.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@topics/client-auth.md` around lines 174 - 176, The three bullets ("When the
user logs out.", "When credentials or tokens stored by your application
change.", "When you need to force providers to reload the authentication state
on the next request.") are repetitive because they all begin with "When"; reword
them for variety and smoother scanning by changing sentence openings (e.g., "On
user logout.", "If credentials or stored tokens change.", "To force providers to
reload the auth state on the next request."). Update the three bullet lines in
topics/client-auth.md accordingly while preserving their original meaning.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@topics/client-bearer-auth.md`:
- Around line 157-160: The step currently instructs creating an OAuth client of
type "Android" which is incorrect for a loopback redirect; update the sentence
that reads "Create an `OAuth client ID` with the `Android` application type" to
instruct creating an `OAuth client ID` with the "Desktop app" application type
and explicitly mention adding the loopback redirect URI (e.g.
http://127.0.0.1:8080) so the authorization grant flow referenced by the link
(`#step1`) works correctly.

---

Nitpick comments:
In
`@codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt`:
- Around line 44-58: The HttpClient instance named client in the test is not
closed; update the test to properly dispose of it after use by invoking
client.close() or using the client's use/auto-close pattern around the request
so HttpClient resources are released; locate the HttpClient(...) block and the
subsequent client.get call and ensure the client is closed afterward (e.g., call
client.close() or wrap client creation in a use scope).

In `@topics/client-auth.md`:
- Around line 174-176: The three bullets ("When the user logs out.", "When
credentials or tokens stored by your application change.", "When you need to
force providers to reload the authentication state on the next request.") are
repetitive because they all begin with "When"; reword them for variety and
smoother scanning by changing sentence openings (e.g., "On user logout.", "If
credentials or stored tokens change.", "To force providers to reload the auth
state on the next request."). Update the three bullet lines in
topics/client-auth.md accordingly while preserving their original meaning.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2a0aeffe-b47d-4d6f-87a6-46cdc80e348f

📥 Commits

Reviewing files that changed from the base of the PR and between 30d1d41 and 45bff20.

📒 Files selected for processing (7)

• codeSnippets/snippets/client-auth-oauth-google/build.gradle.kts
• codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt
• topics/client-auth.md
• topics/client-basic-auth.md
• topics/client-bearer-auth.md
• topics/client-digest-auth.md
• topics/lib.topic

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For Google OAuth 2.0 with redirect_uri=http://127.0.0.1:8080 (loopback flow), which OAuth client type should be used in Google Cloud Console?

💡 Result:

Use an OAuth 2.0 Client ID of type “Desktop app” in Google Cloud Console for the loopback redirect URI flow (e.g., http://127.0.0.1:8080). [1]

---

Incorrect Google OAuth client type for loopback flow.

Lines 157–160 instruct creating an OAuth client with Android application type, but loopback redirect flows (http://127.0.0.1:8080) require a Desktop app client type. Using Android will cause setup failures.

Fix

-3. Create an `OAuth client ID` with the `Android` application type. You will use this client
-ID to obtain an [authorization grant](`#step1`).
+3. Create an `OAuth client ID` with the `Desktop app` application type. You will use this client
+ID to obtain an [authorization grant](`#step1`).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	2. Open the [Google Cloud Console](https://console.cloud.google.com/apis/credentials)
	3. Create an `OAuth client ID` with the `Android` application type. You will use this client
	ID to obtain an [authorization grant](#step1).
	2. Open the [Google Cloud Console](https://console.cloud.google.com/apis/credentials)
	3. Create an `OAuth client ID` with the `Desktop app` application type. You will use this client
	ID to obtain an [authorization grant](`#step1`).

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 159-159: Link fragments should be valid

(MD051, link-fragments)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@topics/client-bearer-auth.md` around lines 157 - 160, The step currently
instructs creating an OAuth client of type "Android" which is incorrect for a
loopback redirect; update the sentence that reads "Create an `OAuth client ID`
with the `Android` application type" to instruct creating an `OAuth client ID`
with the "Desktop app" application type and explicitly mention adding the
loopback redirect URI (e.g. http://127.0.0.1:8080) so the authorization grant
flow referenced by the link (`#step1`) works correctly.