oauth2-test-server 0.2.2

A fast, fully configurable, in-memory OAuth 2.0 + OpenID Connect authorization server for testing, zero-HTTP mode and DCR support for testing auth flow in MCP Servers and MCP Clients
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

use axum::{
    extract::{Form, State},
    response::IntoResponse,
    Json,
};
use chrono::{Duration, Utc};
use rand::Rng;
use serde::Deserialize;
use serde_json::json;

use crate::{
    crypto::{generate_token_string, issue_jwt},
    error::OauthError,
    models::{DeviceAuthorization, DeviceCodeResponse, DeviceTokenRequest},
    store::AppState,
};

#[derive(Deserialize, Debug)]
pub struct DeviceCodeRequest {
    pub client_id: String,
    pub scope: Option<String>,
}

const DEVICE_CODE_CHARSET: &[u8] = b"BCDFGHJKLMNPQRSTUVWXYZ23456789";

fn generate_user_code() -> String {
    let mut rng = rand::thread_rng();
    let code: String = (0..8)
        .map(|_| {
            let idx = rng.gen_range(0..DEVICE_CODE_CHARSET.len());
            DEVICE_CODE_CHARSET[idx] as char
        })
        .collect();
    code.chars()
        .collect::<Vec<_>>()
        .chunks(4)
        .map(|chunk| chunk.iter().collect::<String>())
        .collect::<Vec<_>>()
        .join("-")
}

pub async fn device_code(
    State(state): State<AppState>,
    Form(form): Form<DeviceCodeRequest>,
) -> Result<impl IntoResponse, OauthError> {
    let client = state
        .store
        .get_client(&form.client_id)
        .await
        .ok_or(OauthError::InvalidClient)?;

    let scope = form.scope.clone().unwrap_or_else(|| client.scope.clone());

    if let Err(e) = state.config.validate_scope(&scope) {
        return Err(OauthError::InvalidScope(e));
    }

    let device_code = generate_token_string();
    let user_code = generate_user_code();
    let expires_in = state.config.authorization_code_expires_in;
    let interval = 5;

    let device_auth = DeviceAuthorization {
        device_code: device_code.clone(),
        user_code: user_code.clone(),
        client_id: form.client_id.clone(),
        scope: scope.clone(),
        expires_at: Utc::now() + Duration::seconds(expires_in as i64),
        user_id: None,
        approved: false,
    };

    state
        .store
        .insert_device_code(device_code.clone(), device_auth)
        .await;

    let verification_uri = format!("{}/device", state.issuer());
    let verification_uri_complete = Some(format!("{}?user_code={}", verification_uri, user_code));

    Ok(Json(DeviceCodeResponse {
        device_code,
        user_code,
        verification_uri,
        verification_uri_complete,
        expires_in,
        interval,
    }))
}

pub async fn device_token(
    State(state): State<AppState>,
    Form(form): Form<DeviceTokenRequest>,
) -> Result<impl IntoResponse, OauthError> {
    if form.grant_type != "urn:ietf:params:oauth:grant-type:device_code" {
        return Err(OauthError::UnsupportedGrantType);
    }

    let device_auth = state
        .store
        .get_device_code(&form.device_code)
        .await
        .ok_or(OauthError::InvalidGrant)?;

    if device_auth.expires_at < Utc::now() {
        return Err(OauthError::InvalidGrant);
    }

    if device_auth.client_id != form.client_id {
        return Err(OauthError::InvalidClient);
    }

    if !device_auth.approved {
        return Err(OauthError::AuthorizationPending);
    }

    let client = state
        .store
        .get_client(&form.client_id)
        .await
        .ok_or(OauthError::InvalidClient)?;

    let user_id = device_auth
        .user_id
        .clone()
        .unwrap_or_else(|| "device-user".to_string());

    let jwt = issue_jwt(
        state.issuer(),
        &client.client_id,
        &user_id,
        &device_auth.scope,
        state.config.access_token_expires_in as i64,
        &state.keys,
    )
    .map_err(|_| OauthError::ServerError)?;

    let refresh_token = generate_token_string();

    let token = crate::models::Token {
        access_token: jwt.clone(),
        refresh_token: Some(refresh_token.clone()),
        client_id: client.client_id.clone(),
        scope: device_auth.scope.clone(),
        expires_at: Utc::now() + Duration::seconds(state.config.access_token_expires_in as i64),
        user_id: user_id.clone(),
        revoked: false,
    };

    state.store.insert_token(jwt.clone(), token.clone()).await;
    state
        .store
        .insert_refresh_token(refresh_token.clone(), token)
        .await;

    Ok(Json(json!({
        "access_token": jwt,
        "token_type": "Bearer",
        "expires_in": state.config.access_token_expires_in,
        "refresh_token": refresh_token,
        "scope": device_auth.scope
    })))
}