Skip to content

KTOR-9244 Update client auth and document provider selection#786

Open
vnikolova wants to merge 4 commits intomainfrom
vnikolova/KTOR-9244
Open

KTOR-9244 Update client auth and document provider selection#786
vnikolova wants to merge 4 commits intomainfrom
vnikolova/KTOR-9244

Conversation

@vnikolova
Copy link
Collaborator

@vnikolova vnikolova commented Mar 13, 2026
edited
Loading

Description:

  • Document how providers are selected when one or more are installed.
  • Fix file formatting, grammar and language in client-auth and client-bearer-auth.
  • Add Add dependencies sections in all client auth subtopics.
  • Add a test in the google oauth sample using MockEngine.

Relates issues:

KTOR-9244 Documentation for Auth/Bearer: Make BearerAuthProvider detect disguised Bearer scheme
KTOR-6591 MockEngine: Example of testing client with bearer auth
KTOR-8022 Show how to add dependencies in client auth topics
KTOR-8846 Document refreshTokens behavior in multiple parallel requests

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 13, 2026
edited
Loading

Walkthrough

Added test dependencies and a new test verifying bearer token refresh behavior in the OAuth Google authentication example. Updated client authentication documentation across multiple topic files to improve organization, clarity, and provide standardized examples for bearer, basic, and digest authentication methods.

Changes

Cohort / File(s) Summary
Build and Test Configuration
codeSnippets/snippets/client-auth-oauth-google/build.gradle.kts, codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt		 Added test-scoped junit and ktor-client-mock dependencies. Created new test file demonstrating bearer token refresh behavior when multiple authentication providers are present, using MockEngine to simulate 401 responses and verify correct token refresh flow.
Client Authentication Documentation
topics/client-auth.md, topics/client-basic-auth.md, topics/client-bearer-auth.md, topics/client-digest-auth.md		 Updated client authentication topic files with improved organization, restructured sections with descriptive headings instead of numbered steps, integrated shared dependency installation content, expanded examples, and clarified token handling flows. Bearer auth topic underwent substantial rework including OAuth 2.0 flow expansion and token refresh mechanism documentation.
Reference Documentation
topics/lib.topic		 Changed tip block markup from paragraph to tip element and updated wording for artifact reference guidance.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • Stexxe
  • osipxd
  • marychatte
🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main changes: updating client authentication documentation and documenting provider selection behavior.
Description check ✅ Passed The description relates to the changeset by listing all major modifications: documentation updates, dependency sections, and test additions across multiple files.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch vnikolova/KTOR-9244
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

You can enable review details to help with troubleshooting, context usage and more.

Enable the reviews.review_details setting to include review details such as the model used, the time taken for each step and more in the review comments.

@vnikolova vnikolova marked this pull request as ready for review March 16, 2026 14:32
@vnikolova vnikolova requested review from e5l and osipxd March 16, 2026 14:33
coderabbitai[bot]
coderabbitai bot reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt (1)

44-58: Consider closing the HttpClient after use.

While less critical for tests with MockEngine, closing the client is good practice to demonstrate proper resource management in sample code.

♻️ Suggested improvement 
-        val client = HttpClient(engine) {
-            install(Auth) {
-                bearer {
-                    loadTokens {
-                        BearerTokens("invalid", "refresh")
-                    }
-
-                    refreshTokens {
-                        BearerTokens("valid", "refresh")
-                    }
-                }
-            }
-        }
-        val response = client.get("https://test.example")
-        assertEquals(HttpStatusCode.OK, response.status)
+        val client = HttpClient(engine) {
+            install(Auth) {
+                bearer {
+                    loadTokens {
+                        BearerTokens("invalid", "refresh")
+                    }
+
+                    refreshTokens {
+                        BearerTokens("valid", "refresh")
+                    }
+                }
+            }
+        }
+        client.use {
+            val response = it.get("https://test.example")
+            assertEquals(HttpStatusCode.OK, response.status)
+        }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt`
around lines 44 - 58, The HttpClient instance named client in the test is not
closed; update the test to properly dispose of it after use by invoking
client.close() or using the client's use/auto-close pattern around the request
so HttpClient resources are released; locate the HttpClient(...) block and the
subsequent client.get call and ensure the client is closed afterward (e.g., call
client.close() or wrap client creation in a use scope).
topics/client-auth.md (1)

174-176: Consider varying bullet sentence openings for smoother scanability.

All three bullets start with “When”, which reads a bit repetitive.

✍️ Suggested wording tweak 
-* When the user logs out.
-* When credentials or tokens stored by your application change.
-* When you need to force providers to reload the authentication state on the next request.
+* After a user logs out.
+* If credentials or tokens stored by your application change.
+* To force providers to reload the authentication state on the next request.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@topics/client-auth.md` around lines 174 - 176, The three bullets ("When the
user logs out.", "When credentials or tokens stored by your application
change.", "When you need to force providers to reload the authentication state
on the next request.") are repetitive because they all begin with "When"; reword
them for variety and smoother scanning by changing sentence openings (e.g., "On
user logout.", "If credentials or stored tokens change.", "To force providers to
reload the auth state on the next request."). Update the three bullet lines in
topics/client-auth.md accordingly while preserving their original meaning.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@topics/client-bearer-auth.md`:
- Around line 157-160: The step currently instructs creating an OAuth client of
type "Android" which is incorrect for a loopback redirect; update the sentence
that reads "Create an `OAuth client ID` with the `Android` application type" to
instruct creating an `OAuth client ID` with the "Desktop app" application type
and explicitly mention adding the loopback redirect URI (e.g.
http://127.0.0.1:8080) so the authorization grant flow referenced by the link
(`#step1`) works correctly.

---

Nitpick comments:
In
`@codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt`:
- Around line 44-58: The HttpClient instance named client in the test is not
closed; update the test to properly dispose of it after use by invoking
client.close() or using the client's use/auto-close pattern around the request
so HttpClient resources are released; locate the HttpClient(...) block and the
subsequent client.get call and ensure the client is closed afterward (e.g., call
client.close() or wrap client creation in a use scope).

In `@topics/client-auth.md`:
- Around line 174-176: The three bullets ("When the user logs out.", "When
credentials or tokens stored by your application change.", "When you need to
force providers to reload the authentication state on the next request.") are
repetitive because they all begin with "When"; reword them for variety and
smoother scanning by changing sentence openings (e.g., "On user logout.", "If
credentials or stored tokens change.", "To force providers to reload the auth
state on the next request."). Update the three bullet lines in
topics/client-auth.md accordingly while preserving their original meaning.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2a0aeffe-b47d-4d6f-87a6-46cdc80e348f

📥 Commits

Reviewing files that changed from the base of the PR and between 30d1d41 and 45bff20.

📒 Files selected for processing (7)
  • codeSnippets/snippets/client-auth-oauth-google/build.gradle.kts
  • codeSnippets/snippets/client-auth-oauth-google/src/test/kotlin/ApplicationTest.kt
  • topics/client-auth.md
  • topics/client-basic-auth.md
  • topics/client-bearer-auth.md
  • topics/client-digest-auth.md
  • topics/lib.topic

topics/client-bearer-auth.md
Comment on lines +157 to 160
2. Open the [Google Cloud Console](https://console.cloud.google.com/apis/credentials)
3. Create an `OAuth client ID` with the `Android` application type. You will use this client
ID to obtain an [authorization grant](#step1).

Copy link
Contributor

@coderabbitai coderabbitai bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For Google OAuth 2.0 with redirect_uri=http://127.0.0.1:8080 (loopback flow), which OAuth client type should be used in Google Cloud Console?

💡 Result:

Use an OAuth 2.0 Client ID of type “Desktop app” in Google Cloud Console for the loopback redirect URI flow (e.g., http://127.0.0.1:8080). [1]

Incorrect Google OAuth client type for loopback flow.

Lines 157–160 instruct creating an OAuth client with Android application type, but loopback redirect flows (http://127.0.0.1:8080) require a Desktop app client type. Using Android will cause setup failures.

Fix 
-3. Create an `OAuth client ID` with the `Android` application type. You will use this client
-ID to obtain an [authorization grant](`#step1`).
+3. Create an `OAuth client ID` with the `Desktop app` application type. You will use this client
+ID to obtain an [authorization grant](`#step1`).
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
2. Open the [Google Cloud Console](https://console.cloud.google.com/apis/credentials)
3. Create an `OAuth client ID` with the `Android` application type. You will use this client
ID to obtain an [authorization grant](#step1).
2. Open the [Google Cloud Console](https://console.cloud.google.com/apis/credentials)
3. Create an `OAuth client ID` with the `Desktop app` application type. You will use this client
ID to obtain an [authorization grant](`#step1`).
🧰 Tools
🪛 markdownlint-cli2 (0.21.0)

[warning] 159-159: Link fragments should be valid

(MD051, link-fragments)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@topics/client-bearer-auth.md` around lines 157 - 160, The step currently
instructs creating an OAuth client of type "Android" which is incorrect for a
loopback redirect; update the sentence that reads "Create an `OAuth client ID`
with the `Android` application type" to instruct creating an `OAuth client ID`
with the "Desktop app" application type and explicitly mention adding the
loopback redirect URI (e.g. http://127.0.0.1:8080) so the authorization grant
flow referenced by the link (`#step1`) works correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@e5l e5l Awaiting requested review from e5l

@osipxd osipxd Awaiting requested review from osipxd

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vnikolova