Expand description
§AT Protocol OAuth AIP (Identity Provider) Implementation
This crate provides a comprehensive OAuth 2.0 workflow implementation for AT Protocol Identity Providers (AIPs). It handles the complete OAuth flow including Pushed Authorization Requests (PAR), token exchange, and session management according to AT Protocol specifications.
§Key Features
- OAuth 2.0 Authorization Code Flow: Complete implementation with PKCE support
- Pushed Authorization Requests (PAR): Enhanced security through server-side request storage
- Token Exchange: Secure token issuance and refresh capabilities
- Session Management: AT Protocol session establishment and validation
- Resource Validation: OAuth protected resource and authorization server validation
§Usage
The primary entry point is the workflow module which provides functions for each stage of the OAuth flow:
use atproto_oauth_aip::workflow::{oauth_init, oauth_complete, session_exchange, OAuthClient};
use atproto_oauth::resources::AuthorizationServer;
use atproto_oauth::workflow::OAuthRequestState;
let http_client = reqwest::Client::new();
let oauth_client = OAuthClient {
redirect_uri: "https://redirect.example.com/callback".to_string(),
client_id: "client123".to_string(),
client_secret: "secret456".to_string(),
};
let authorization_server = AuthorizationServer {
issuer: "https://auth.example.com".to_string(),
authorization_endpoint: "https://auth.example.com/authorize".to_string(),
token_endpoint: "https://auth.example.com/token".to_string(),
pushed_authorization_request_endpoint: "https://auth.example.com/par".to_string(),
introspection_endpoint: "".to_string(),
scopes_supported: vec!["atproto".to_string(), "transition:generic".to_string()],
response_types_supported: vec!["code".to_string()],
grant_types_supported: vec!["authorization_code".to_string(), "refresh_token".to_string()],
token_endpoint_auth_methods_supported: vec!["none".to_string(), "private_key_jwt".to_string()],
token_endpoint_auth_signing_alg_values_supported: vec!["ES256".to_string()],
require_pushed_authorization_requests: true,
request_parameter_supported: false,
code_challenge_methods_supported: vec!["S256".to_string()],
authorization_response_iss_parameter_supported: true,
dpop_signing_alg_values_supported: vec!["ES256".to_string()],
client_id_metadata_document_supported: true,
};
let oauth_request_state = OAuthRequestState {
state: "random-state".to_string(),
nonce: "random-nonce".to_string(),
code_challenge: "code-challenge".to_string(),
scope: "atproto transition:generic".to_string(),
};
// Initialize OAuth flow with PAR
let par_response = oauth_init(
&http_client,
&oauth_client,
Some("user_handle"),
&authorization_server.pushed_authorization_request_endpoint,
&oauth_request_state
).await?;
// Complete OAuth flow with authorization code
let token_response = oauth_complete(
&http_client,
&oauth_client,
&authorization_server.token_endpoint,
"authorization_code",
&oauth_request
).await?;
// Exchange tokens for AT Protocol session
let session = session_exchange(
&http_client,
&protected_resource.resource,
&token_response.access_token
).await?;§Error Handling
All operations use structured error types with descriptive messages following the project’s error convention format.