Module workflow

atproto_oauth_aip

Module workflow 

Source
Expand description

OAuth workflow implementation. OAuth 2.0 workflow for AT Protocol identity providers.

Complete authorization code flow implementation with PAR initialization, code exchange, and AT Protocol session establishment.

  1. Initialization (oauth_init): Creates a Pushed Authorization Request (PAR) and returns the authorization URL for user consent
  2. Completion (oauth_complete): Exchanges the authorization code for access tokens
  3. Session Exchange (session_exchange): Converts OAuth tokens to AT Protocol sessions

§Security Features

  • Pushed Authorization Requests (PAR): Enhanced security by storing authorization parameters server-side rather than in redirect URLs
  • PKCE (Proof Key for Code Exchange): Protection against authorization code interception attacks
  • DPoP (Demonstration of Proof-of-Possession): Cryptographic binding of tokens to specific keys for enhanced security

§Usage Example

use atproto_oauth_aip::workflow::{oauth_init, oauth_complete, session_exchange, OAuthClient};
use atproto_oauth::resources::{AuthorizationServer, OAuthProtectedResource};
use atproto_oauth::workflow::{OAuthRequestState, OAuthRequest};

let http_client = reqwest::Client::new();

// 1. Initialize OAuth flow
let oauth_client = OAuthClient {
    redirect_uri: "https://myapp.com/callback".to_string(),
    client_id: "my_client_id".to_string(),
    client_secret: "my_client_secret".to_string(),
};


let oauth_request_state = OAuthRequestState {
    state: "random-state".to_string(),
    nonce: "random-nonce".to_string(),
    code_challenge: "code-challenge".to_string(),
    scope: "atproto transition:generic".to_string(),
};

let par_response = oauth_init(
    &http_client,
    &oauth_client,
    Some("user.bsky.social"),
    &authorization_server.pushed_authorization_request_endpoint,
    &oauth_request_state
).await?;

// User visits auth_url and grants consent, returns with authorization code

// 2. Complete OAuth flow
let token_response = oauth_complete(
    &http_client,
    &oauth_client,
    &authorization_server.token_endpoint,
    "received_auth_code",
    &oauth_request
).await?;

// 3. Exchange for AT Protocol session
let session = session_exchange(
    &http_client,
    &protected_resource.resource,
    &token_response.access_token
).await?;

§Error Handling

All functions return Result<T, OAuthWorkflowError> with detailed error information for each phase of the OAuth flow including network failures, parsing errors, and protocol violations.

Structs§

ATProtocolSession
Represents an authenticated AT Protocol session.
OAuthClient
OAuth client configuration containing essential client credentials.

Functions§

oauth_complete
Completes the OAuth authorization flow by exchanging the authorization code for tokens.
oauth_init
Initiates an OAuth authorization flow using Pushed Authorization Request (PAR).
session_exchange
Exchanges an OAuth access token for an AT Protocol session.