atproto-oauth 0.9.2

OAuth workflow implementation for AT Protocol - PKCE, DPoP, and secure authentication flows
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

# atproto-oauth

OAuth 2.0 implementation for AT Protocol with DPoP support, PKCE, and JWT operations.

## Overview

`atproto-oauth` provides comprehensive OAuth 2.0 functionality specifically designed for the AT Protocol ecosystem. This library implements DPoP (Demonstration of Proof-of-Possession), PKCE (Proof Key for Code Exchange), JWT operations, JWK management, and AT Protocol-specific OAuth validation.

## Features

- **JWT operations**: Minting, verification, and validation with ES256/ES256K/ES384 support
- **JWK management**: Generation and conversion for P-256, P-384, and K-256 curves
- **PKCE implementation**: Secure OAuth flows with Proof Key for Code Exchange
- **DPoP support**: Demonstration of Proof-of-Possession with automatic retry middleware
- **OAuth discovery**: Resource discovery and AT Protocol validation
- **Request storage**: LRU cache-based OAuth request storage
- **Structured errors**: Comprehensive error handling with detailed error codes

## Usage

### JWT Operations

```rust
use atproto_oauth::jwt::{mint, verify, Header, Claims, JoseClaims};
use atproto_identity::key::identify_key;

let key_data = identify_key("did:key:zQ3sh...")?;

let header = Header {
    algorithm: Some("ES256".to_string()),
    type_: Some("JWT".to_string()),
    ..Default::default()
};

let claims = Claims::new(JoseClaims {
    issuer: Some("did:plc:issuer123".to_string()),
    subject: Some("did:plc:subject456".to_string()),
    audience: Some("https://pds.example.com".to_string()),
    expiration: Some(chrono::Utc::now().timestamp() as u64 + 3600),
    ..Default::default()
});

let token = mint(&key_data, &header, &claims)?;
verify(&key_data, &token).await?;
```

### PKCE Flow

```rust
use atproto_oauth::pkce;

let (code_verifier, code_challenge) = pkce::generate();
// Use code_challenge in authorization URL
// Later use code_verifier for token exchange
```

### DPoP Proofs

```rust
use atproto_oauth::dpop::{auth_dpop, request_dpop};

let (dpop_token, header, claims) = auth_dpop(
    &key_data,
    "POST",
    "https://auth.example.com/oauth/token"
)?;
```

### OAuth Discovery

```rust
use atproto_oauth::resources::{discover_protected_resource, discover_authorization_server};

let protected_resource = discover_protected_resource(&client, pds_url).await?;
let auth_server = discover_authorization_server(&client, auth_server_url).await?;
```

## License

MIT License