atproto-oauth
| Crates.io | atproto-oauth |
| lib.rs | atproto-oauth |
| version | 0.9.3 |
| source | src |
| created_at | 2025-06-03 13:31:00.443566+00 |
| updated_at | 2025-07-06 01:14:12.140927+00 |
| description | OAuth workflow implementation for AT Protocol - PKCE, DPoP, and secure authentication flows |
| homepage | https://tangled.sh/@smokesignal.events/atproto-identity-rs |
| repository | https://tangled.sh/@smokesignal.events/atproto-identity-rs |
| max_upload_size | |
| id | 1699032 |
| size | 328,751 |
Nick Gerakines (ngerakines)
documentation
https://docs.rs/atproto-oauth
README
atproto-oauth
OAuth 2.0 implementation for AT Protocol with DPoP support, PKCE, and JWT operations.
Overview
atproto-oauth provides comprehensive OAuth 2.0 functionality specifically designed for the AT Protocol ecosystem. This library implements DPoP (Demonstration of Proof-of-Possession), PKCE (Proof Key for Code Exchange), JWT operations, JWK management, and AT Protocol-specific OAuth validation.
Features
- JWT operations: Minting, verification, and validation with ES256/ES256K/ES384 support
- JWK management: Generation and conversion for P-256, P-384, and K-256 curves
- PKCE implementation: Secure OAuth flows with Proof Key for Code Exchange
- DPoP support: Demonstration of Proof-of-Possession with automatic retry middleware
- OAuth discovery: Resource discovery and AT Protocol validation
- Request storage: LRU cache-based OAuth request storage
- Structured errors: Comprehensive error handling with detailed error codes
Usage
JWT Operations
use atproto_oauth::jwt::{mint, verify, Header, Claims, JoseClaims};
use atproto_identity::key::identify_key;
let key_data = identify_key("did:key:zQ3sh...")?;
let header = Header {
algorithm: Some("ES256".to_string()),
type_: Some("JWT".to_string()),
..Default::default()
};
let claims = Claims::new(JoseClaims {
issuer: Some("did:plc:issuer123".to_string()),
subject: Some("did:plc:subject456".to_string()),
audience: Some("https://pds.example.com".to_string()),
expiration: Some(chrono::Utc::now().timestamp() as u64 + 3600),
..Default::default()
});
let token = mint(&key_data, &header, &claims)?;
verify(&key_data, &token).await?;
PKCE Flow
use atproto_oauth::pkce;
let (code_verifier, code_challenge) = pkce::generate();
// Use code_challenge in authorization URL
// Later use code_verifier for token exchange
DPoP Proofs
use atproto_oauth::dpop::{auth_dpop, request_dpop};
let (dpop_token, header, claims) = auth_dpop(
&key_data,
"POST",
"https://auth.example.com/oauth/token"
)?;
OAuth Discovery
use atproto_oauth::resources::{discover_protected_resource, discover_authorization_server};
let protected_resource = discover_protected_resource(&client, pds_url).await?;
let auth_server = discover_authorization_server(&client, auth_server_url).await?;
License
MIT License