atproto-oauth-axum 0.9.3

Axum web framework integration for AT Protocol OAuth workflows
Documentation

atproto-oauth-axum

Axum web handlers for AT Protocol OAuth 2.0 authorization server endpoints.

Overview

atproto-oauth-axum provides ready-to-use Axum web handlers that implement the complete AT Protocol OAuth 2.0 authorization server specification. This library handles OAuth client metadata discovery, JWKS endpoints, authorization callback processing, and includes a command-line OAuth login tool.

Binaries

  • atproto-oauth-tool: Complete OAuth login CLI tool for AT Protocol services

Features

  • Complete OAuth server handlers for Axum web applications
  • Client metadata endpoint with RFC 7591 compliance
  • JWKS endpoint for JSON Web Key Set serving
  • Authorization callback handler with token exchange
  • Native Axum state management and request extractors
  • AT Protocol compliance validation

Usage

Basic Server Setup

use atproto_oauth_axum::{
    handle_complete::handle_oauth_callback,
    handle_jwks::handle_oauth_jwks,
    handler_metadata::handle_oauth_metadata,
    state::OAuthClientConfig,
};
use axum::{routing::get, Router};

let oauth_config = OAuthClientConfig {
    client_uri: "https://your-app.com".to_string(),
    client_id: "https://your-app.com/oauth/client-metadata.json".to_string(),
    redirect_uris: "https://your-app.com/oauth/callback".to_string(),
    jwks_uri: "https://your-app.com/.well-known/jwks.json".to_string(),
    signing_keys: vec![identify_key("did:key:zQ3sh...")?],
};

let app = Router::new()
    .route("/oauth/client-metadata.json", get(handle_oauth_metadata))
    .route("/.well-known/jwks.json", get(handle_oauth_jwks))
    .route("/oauth/callback", get(handle_oauth_callback))
    .with_state(oauth_config);

OAuth Handlers

The library provides ready-to-use handlers for:

  • Client Metadata: Generates RFC 7591 compliant metadata
  • JWKS Endpoint: Serves JSON Web Key Sets for signature verification
  • Callback Processing: Handles OAuth authorization callbacks with token exchange

Command Line Examples

# Start OAuth login flow for a handle
cargo run --bin atproto-oauth-tool login did:key:zQ3sh... alice.bsky.social

# Start OAuth login flow for a DID
cargo run --bin atproto-oauth-tool login did:key:zQ3sh... did:plc:user123

The tool provides a complete OAuth client implementation with:

  • Subject resolution and DID document retrieval
  • PDS and authorization server discovery
  • PKCE and DPoP parameter generation
  • Local web server for callback handling
  • Complete token exchange flow

License

MIT License