atproto-oauth-aip 0.11.3

ATProtocol AIP OAuth tools
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

# atproto-oauth-aip

OAuth AIP (Identity Provider) implementation for AT Protocol.

## Overview

Complete OAuth 2.0 authorization code flow with PAR, PKCE, token exchange, and AT Protocol session management for identity providers.

## Features

- **OAuth 2.0 authorization code flow**: Complete implementation with PKCE support for secure authentication
- **Pushed Authorization Requests (PAR)**: Enhanced security through server-side request storage
- **Token exchange**: Secure OAuth token issuance and refresh capabilities
- **AT Protocol session management**: Convert OAuth tokens to AT Protocol sessions with DID resolution
- **Resource validation**: OAuth protected resource and authorization server configuration validation
- **Structured error handling**: Comprehensive error types following AT Protocol conventions

## CLI Tools

This crate does not provide standalone CLI tools. It serves as a library for OAuth AIP implementations.


## Usage

### Basic OAuth Flow

```rust
use atproto_oauth_aip::{OAuthClient, oauth_init, oauth_complete, session_exchange};
use atproto_oauth::storage::MemoryStorage;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Initialize OAuth client
    let client = OAuthClient::new(
        "https://your-app.com/client-id".to_string(),
        Some("your-client-secret".to_string()),
        "https://your-app.com/callback".to_string(),
    );
    
    // Initialize storage (use persistent storage in production)
    let storage = MemoryStorage::new();
    
    // Start OAuth flow
    let (authorization_url, state) = oauth_init(
        &client,
        "user@example.com",  // User identifier
        &storage,
    ).await?;
    
    // Redirect user to authorization_url
    println!("Please visit: {}", authorization_url);
    
    // After user authorizes and is redirected back with code and state...
    let authorization_code = "received-auth-code";
    let returned_state = "returned-state";
    
    // Complete OAuth flow
    let access_token = oauth_complete(
        &client,
        authorization_code,
        returned_state,
        &storage,
    ).await?;
    
    // Exchange for AT Protocol session
    let session = session_exchange(
        &client,
        &access_token,
        &storage,
    ).await?;
    
    println!("Authenticated as: {} ({})", session.handle, session.did);
    println!("PDS Endpoint: {}", session.pds_endpoint);
    
    Ok(())
}
```

### Fetching OAuth Metadata

```rust
use atproto_oauth_aip::resources::{oauth_protected_resource, oauth_authorization_server};

// Get OAuth protected resource configuration
let protected_resource = oauth_protected_resource("https://bsky.social").await?;

// Get OAuth authorization server metadata
let auth_server = oauth_authorization_server(&protected_resource).await?;
```

## API Documentation

### Core Types

- `OAuthClient`: OAuth client credentials and configuration
- `ATProtocolSession`: Authenticated session containing DID, handle, and PDS endpoint

### Main Functions

- `oauth_init()`: Initiates OAuth flow using PAR
- `oauth_complete()`: Exchanges authorization code for access token
- `session_exchange()`: Converts OAuth access token to AT Protocol session

### Resource Functions

- `oauth_protected_resource()`: Fetch OAuth protected resource metadata
- `oauth_authorization_server()`: Fetch OAuth authorization server metadata

## Error Handling

The crate uses typed errors following the AT Protocol error format:

```rust
use atproto_oauth_aip::OAuthWorkflowError;

match result {
    Err(OAuthWorkflowError::InvalidAuthorizationRequest(e)) => {
        // Handle PAR errors
    }
    Err(OAuthWorkflowError::TokenExchangeFailed(e)) => {
        // Handle token exchange errors
    }
    // ... other error types
}
```

## Storage Requirements

This crate requires an implementation of the `OAuthStorage` trait from `atproto-oauth`. For production use, implement persistent storage rather than using `MemoryStorage`.

## Security Considerations

- Always use HTTPS URLs for OAuth endpoints
- Implement proper state validation to prevent CSRF attacks
- Store client secrets securely
- Use persistent storage with appropriate security measures
- Validate DPoP keys when required by the authorization server

## Dependencies

This crate depends on:
- `atproto-oauth`: Core OAuth implementation
- `atproto-identity`: AT Protocol identity resolution
- `atproto-record`: Record handling
- `reqwest`: HTTP client
- `serde`: Serialization
- `tokio`: Async runtime

## License

MIT License