crates/atproto-oauth/README.md at main · smokesignal.events/atproto-identity-rs

smokesignal.events / atproto-identity-rs
A library for ATProtocol identities.
atproto-identity-rs / crates / atproto-oauth / README.md
at main 2.5 kB view raw view rendered
 1# atproto-oauth
 2
 3OAuth 2.0 implementation for AT Protocol.
 4
 5## Overview
 6
 7Comprehensive OAuth support with DPoP, PKCE, JWT operations, and secure storage abstractions for AT Protocol authentication.
 8
 9## Features
10
11- **JWT operations**: Token minting, verification, and validation with ES256/ES384/ES256K support
12- **JWK management**: JSON Web Key generation and conversion for P-256, P-384, and K-256 curves
13- **PKCE implementation**: RFC 7636 compliant Proof Key for Code Exchange for secure authorization flows
14- **DPoP support**: RFC 9449 compliant Demonstration of Proof-of-Possession with automatic retry middleware
15- **OAuth discovery**: Resource discovery and validation using RFC 8414 well-known endpoints
16- **Storage abstractions**: Pluggable storage with LRU cache implementation for OAuth requests
17- **Base64 encoding**: URL-safe base64 encoding/decoding utilities for JWT operations
18
19## CLI Tools
20
21The following command-line tool is available when built with the `clap` feature:
22
23- **`atproto-oauth-service-token`**: OAuth service token management tool for AT Protocol authentication workflows
24
25## Usage
26
27### JWT Operations
28
29```rust
30use atproto_oauth::jwt::{mint, verify, Header, Claims, JoseClaims};
31use atproto_identity::key::identify_key;
32
33let key_data = identify_key("did:key:zQ3sh...")?;
34
35let header = Header {
36    algorithm: Some("ES256".to_string()),
37    type_: Some("JWT".to_string()),
38    ..Default::default()
39};
40
41let claims = Claims::new(JoseClaims {
42    issuer: Some("did:plc:issuer123".to_string()),
43    subject: Some("did:plc:subject456".to_string()),
44    audience: Some("https://pds.example.com".to_string()),
45    expiration: Some(chrono::Utc::now().timestamp() as u64 + 3600),
46    ..Default::default()
47});
48
49let token = mint(&key_data, &header, &claims)?;
50verify(&key_data, &token).await?;
51```
52
53### PKCE Flow
54
55```rust
56use atproto_oauth::pkce;
57
58let (code_verifier, code_challenge) = pkce::generate();
59// Use code_challenge in authorization URL
60// Later use code_verifier for token exchange
61```
62
63### DPoP Proofs
64
65```rust
66use atproto_oauth::dpop::{auth_dpop, request_dpop};
67
68let (dpop_token, header, claims) = auth_dpop(
69    &key_data,
70    "POST",
71    "https://auth.example.com/oauth/token"
72)?;
73```
74
75### OAuth Discovery
76
77```rust
78use atproto_oauth::resources::{discover_protected_resource, discover_authorization_server};
79
80let protected_resource = discover_protected_resource(&client, pds_url).await?;
81let auth_server = discover_authorization_server(&client, auth_server_url).await?;
82```
83
84## License
85
86MIT License