atproto-oauth 0.14.2

OAuth workflow implementation for AT Protocol - PKCE, DPoP, and secure authentication flows
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267

//! OAuth resource discovery and validation.
//!
//! Discover and validate OAuth 2.0 configuration from AT Protocol
//! PDS servers using RFC 8414 well-known endpoints.

use serde::Deserialize;

use crate::errors::{AuthServerValidationError, OAuthClientError, ResourceValidationError};

/// OAuth 2.0 protected resource metadata from RFC 8414 oauth-protected-resource endpoint.
///
/// AT Protocol requires that the authorization_servers array contains exactly one URL.
#[derive(Clone, Deserialize)]
pub struct OAuthProtectedResource {
    /// The protected resource URI, must match the PDS base URL.
    pub resource: String,
    /// Authorization server URLs that can issue tokens for this resource.
    /// AT Protocol requires exactly one authorization server URL.
    pub authorization_servers: Vec<String>,
    /// OAuth 2.0 scopes supported by this protected resource.
    #[serde(default)]
    pub scopes_supported: Vec<String>,
    /// Bearer token methods supported (e.g., "header", "body", "query").
    #[serde(default)]
    pub bearer_methods_supported: Vec<String>,
}

/// OAuth 2.0 authorization server metadata from RFC 8414 oauth-authorization-server endpoint.
///
/// AT Protocol requires specific grant types, scopes, authentication methods, and security features.
#[cfg_attr(debug_assertions, derive(Debug))]
#[derive(Clone, Deserialize, Default)]
pub struct AuthorizationServer {
    /// URL of the authorization server's token introspection endpoint (optional).
    #[serde(default)]
    pub introspection_endpoint: String,
    /// URL of the authorization server's authorization endpoint.
    pub authorization_endpoint: String,
    /// Whether the authorization response `iss` parameter is supported (required for AT Protocol).
    #[serde(default)]
    pub authorization_response_iss_parameter_supported: bool,
    /// Whether client ID metadata document is supported (required for AT Protocol).
    #[serde(default)]
    pub client_id_metadata_document_supported: bool,
    /// PKCE code challenge methods supported, must include "S256" for AT Protocol.
    #[serde(default)]
    pub code_challenge_methods_supported: Vec<String>,
    /// DPoP proof JWT signing algorithms supported, must include "ES256" for AT Protocol.
    #[serde(default)]
    pub dpop_signing_alg_values_supported: Vec<String>,
    /// OAuth 2.0 grant types supported, must include "authorization_code" and "refresh_token".
    #[serde(default)]
    pub grant_types_supported: Vec<String>,
    /// The authorization server's issuer identifier, must match PDS URL.
    pub issuer: String,
    /// URL of the authorization server's pushed authorization request endpoint (required for AT Protocol).
    #[serde(default)]
    pub pushed_authorization_request_endpoint: String,
    /// Whether the `request` parameter is supported (optional).
    #[serde(default)]
    pub request_parameter_supported: bool,
    /// Whether pushed authorization requests are required (required for AT Protocol).
    #[serde(default)]
    pub require_pushed_authorization_requests: bool,
    /// OAuth 2.0 response types supported, must include "code" for AT Protocol.
    #[serde(default)]
    pub response_types_supported: Vec<String>,
    /// OAuth 2.0 scopes supported, must include "atproto" and "transition:generic" for AT Protocol.
    #[serde(default)]
    pub scopes_supported: Vec<String>,
    /// Client authentication methods supported, must include "none" and "private_key_jwt".
    #[serde(default)]
    pub token_endpoint_auth_methods_supported: Vec<String>,
    /// JWT signing algorithms for client authentication, must include "ES256" for AT Protocol.
    #[serde(default)]
    pub token_endpoint_auth_signing_alg_values_supported: Vec<String>,
    /// URL of the authorization server's token endpoint.
    pub token_endpoint: String,
}

/// Retrieves and validates OAuth configuration from a Personal Data Server (PDS).
///
/// Fetches both the protected resource metadata and authorization server metadata
/// from the PDS's well-known OAuth endpoints, returning the first authorization server.
pub async fn pds_resources(
    http_client: &reqwest::Client,
    pds: &str,
) -> Result<(OAuthProtectedResource, AuthorizationServer), OAuthClientError> {
    let protected_resource = oauth_protected_resource(http_client, pds).await?;

    let first_authorization_server = protected_resource
        .authorization_servers
        .first()
        .ok_or(OAuthClientError::InvalidOAuthProtectedResource)?;

    let authorization_server =
        oauth_authorization_server(http_client, first_authorization_server).await?;
    Ok((protected_resource, authorization_server))
}

/// Fetches and validates protected resource metadata from a PDS's well-known endpoint.
///
/// Retrieves OAuth 2.0 protected resource configuration from `/.well-known/oauth-protected-resource`
/// and validates that the resource URI matches the PDS URL and has exactly one authorization server
/// as required by AT Protocol specification.
pub async fn oauth_protected_resource(
    http_client: &reqwest::Client,
    pds: &str,
) -> Result<OAuthProtectedResource, OAuthClientError> {
    let destination = format!("{}/.well-known/oauth-protected-resource", pds);

    let resource: OAuthProtectedResource = http_client
        .get(destination)
        .send()
        .await
        .map_err(OAuthClientError::OAuthProtectedResourceRequestFailed)?
        .json()
        .await
        .map_err(OAuthClientError::MalformedOAuthProtectedResourceResponse)?;

    if resource.resource != pds {
        return Err(OAuthClientError::InvalidOAuthProtectedResourceResponse(
            ResourceValidationError::ResourceMustMatchPds.into(),
        ));
    }

    if resource.authorization_servers.len() != 1 {
        return Err(OAuthClientError::InvalidOAuthProtectedResourceResponse(
            ResourceValidationError::AuthorizationServersMustContainExactlyOne.into(),
        ));
    }

    Ok(resource)
}

/// Fetches and validates authorization server metadata from a PDS's well-known endpoint.
///
/// Retrieves OAuth 2.0 authorization server configuration from `/.well-known/oauth-authorization-server`
/// and validates AT Protocol requirements including:
/// - Required grant types: authorization_code, refresh_token  
/// - Required scopes: atproto, transition:generic
/// - Required security features: PKCE (S256), DPoP (ES256), PAR
/// - Required authentication methods: none, private_key_jwt
pub async fn oauth_authorization_server(
    http_client: &reqwest::Client,
    pds: &str,
) -> Result<AuthorizationServer, OAuthClientError> {
    let destination = format!("{}/.well-known/oauth-authorization-server", pds);

    let resource: AuthorizationServer = http_client
        .get(destination)
        .send()
        .await
        .map_err(OAuthClientError::AuthorizationServerRequestFailed)?
        .json()
        .await
        .map_err(OAuthClientError::MalformedAuthorizationServerResponse)?;

    // Validate AT Protocol requirements for authorization server metadata

    // Validate required fields are not empty
    if resource.issuer.is_empty() {
        return Err(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::IssuerMustMatchPds.into(),
        ));
    }
    if resource.authorization_endpoint.is_empty() {
        return Err(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::RequiredServerFeaturesMustBeSupported.into(),
        ));
    }
    if resource.token_endpoint.is_empty() {
        return Err(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::RequiredServerFeaturesMustBeSupported.into(),
        ));
    }

    if resource.issuer != pds {
        return Err(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::IssuerMustMatchPds.into(),
        ));
    }

    resource
        .response_types_supported
        .iter()
        .find(|&x| x == "code")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::ResponseTypesSupportMustIncludeCode.into(),
        ))?;

    resource
        .grant_types_supported
        .iter()
        .find(|&x| x == "authorization_code")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::GrantTypesSupportMustIncludeAuthorizationCode.into(),
        ))?;
    resource
        .grant_types_supported
        .iter()
        .find(|&x| x == "refresh_token")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::GrantTypesSupportMustIncludeRefreshToken.into(),
        ))?;
    resource
        .code_challenge_methods_supported
        .iter()
        .find(|&x| x == "S256")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::CodeChallengeMethodsSupportedMustIncludeS256.into(),
        ))?;
    resource
        .token_endpoint_auth_methods_supported
        .iter()
        .find(|&x| x == "none")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::TokenEndpointAuthMethodsSupportedMustIncludeNone.into(),
        ))?;
    resource
        .token_endpoint_auth_methods_supported
        .iter()
        .find(|&x| x == "private_key_jwt")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::TokenEndpointAuthMethodsSupportedMustIncludePrivateKeyJwt
                .into(),
        ))?;
    resource
        .token_endpoint_auth_signing_alg_values_supported
        .iter()
        .find(|&x| x == "ES256")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::TokenEndpointAuthSigningAlgValuesMustIncludeES256.into(),
        ))?;
    resource
        .scopes_supported
        .iter()
        .find(|&x| x == "atproto")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::ScopesSupportedMustIncludeAtProto.into(),
        ))?;
    resource
        .scopes_supported
        .iter()
        .find(|&x| x == "transition:generic")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::ScopesSupportedMustIncludeTransitionGeneric.into(),
        ))?;
    resource
        .dpop_signing_alg_values_supported
        .iter()
        .find(|&x| x == "ES256")
        .ok_or(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::DpopSigningAlgValuesSupportedMustIncludeES256.into(),
        ))?;

    if !(resource.authorization_response_iss_parameter_supported
        && resource.require_pushed_authorization_requests
        && resource.client_id_metadata_document_supported)
    {
        return Err(OAuthClientError::InvalidAuthorizationServerResponse(
            AuthServerValidationError::RequiredServerFeaturesMustBeSupported.into(),
        ));
    }

    Ok(resource)
}