zzstoatzz.io
+23
-1
STATUS.md
+23
-1
STATUS.md
···
47
47
48
48
### December 2025
49
49
50
+
#### confidential OAuth client (PRs #578, #580-582, Dec 12-13)
51
+
52
+
**confidential client support** (PR #578):
53
+
- implemented ATProto OAuth confidential client using `private_key_jwt` authentication
54
+
- when `OAUTH_JWK` is configured, plyr.fm authenticates with a cryptographic key
55
+
- confidential clients earn 180-day refresh tokens (vs 2-week for public clients)
56
+
- added `/.well-known/jwks.json` endpoint for public key discovery
57
+
- updated `/oauth-client-metadata.json` with confidential client fields
58
+
59
+
**bug fixes** (PRs #580-582):
60
+
- fixed client assertion JWT to use Authorization Server's issuer as `aud` claim (not token endpoint URL)
61
+
- fixed JWKS endpoint to preserve `kid` field from original JWK
62
+
- fixed `OAuthClient` to pass `client_secret_kid` for JWT header
63
+
64
+
**atproto fork updates** (zzstoatzz/atproto#6, #7):
65
+
- added `issuer` parameter to `_make_token_request()` for correct `aud` claim
66
+
- added `client_secret_kid` parameter to include `kid` in client assertion JWT header
67
+
68
+
**outcome**: users now get 180-day refresh tokens, and "remember this account" on the PDS authorization page works (auto-approves subsequent logins). see #583 for future work on account switching via OAuth `prompt` parameter.
69
+
70
+
---
71
+
50
72
#### pagination & album management (PRs #550-554, Dec 9-10)
51
73
52
74
**tracks list pagination** (PR #554):
···
374
396
375
397
---
376
398
377
-
this is a living document. last updated 2025-12-10.
399
+
this is a living document. last updated 2025-12-13.