types.go at e39d8a8837ed85549986107e9cdd49ce9dfc35f6 · hailey.at/atproto-oauth-golang

this repo has no description
atproto-oauth-golang / types.go
at e39d8a8837ed85549986107e9cdd49ce9dfc35f6 6.6 kB view raw
  1package oauth
  2
  3import (
  4	"encoding/json"
  5	"fmt"
  6	"net/url"
  7	"slices"
  8)
  9
 10type TokenResponse struct {
 11	DpopAuthserverNonce string
 12	Resp                map[string]any
 13}
 14
 15type RefreshTokenArgs struct {
 16	AuthserverUrl       string
 17	RefreshToken        string
 18	DpopPrivateJwk      string
 19	DpopAuthserverNonce string
 20}
 21
 22type SendParAuthResponse struct {
 23	PkceVerifier        string
 24	State               string
 25	DpopAuthserverNonce string
 26	Resp                map[string]any
 27}
 28
 29type OauthProtectedResource struct {
 30	Resource               string   `json:"resource"`
 31	AuthorizationServers   []string `json:"authorization_servers"`
 32	ScopesSupported        []string `json:"scopes_supported"`
 33	BearerMethodsSupported []string `json:"bearer_methods_supported"`
 34	ResourceDocumentation  string   `json:"resource_documentation"`
 35}
 36
 37func (opr *OauthProtectedResource) UnmarshalJSON(b []byte) error {
 38	type Tmp OauthProtectedResource
 39	var tmp Tmp
 40
 41	if err := json.Unmarshal(b, &tmp); err != nil {
 42		return err
 43	}
 44
 45	*opr = OauthProtectedResource(tmp)
 46
 47	return nil
 48}
 49
 50type OauthAuthorizationMetadata struct {
 51	Issuer                                     string   `json:"issuer"`
 52	RequestParameterSupported                  bool     `json:"request_parameter_supported"`
 53	RequestUriParameterSupported               bool     `json:"request_uri_parameter_supported"`
 54	RequireRequestUriRegistration              *bool    `json:"require_request_uri_registration,omitempty"`
 55	ScopesSupported                            []string `json:"scopes_supported"`
 56	SubjectTypesSupported                      []string `json:"subject_types_supported"`
 57	ResponseTypesSupported                     []string `json:"response_types_supported"`
 58	ResponseModesSupported                     []string `json:"response_modes_supported"`
 59	GrantTypesSupported                        []string `json:"grant_types_supported"`
 60	CodeChallengeMethodsSupported              []string `json:"code_challenge_methods_supported"`
 61	UILocalesSupported                         []string `json:"ui_locales_supported"`
 62	DisplayValuesSupported                     []string `json:"display_values_supported"`
 63	RequestObjectSigningAlgValuesSupported     []string `json:"request_object_signing_alg_values_supported"`
 64	AuthorizationResponseISSParameterSupported bool     `json:"authorization_response_iss_parameter_supported"`
 65	RequestObjectEncryptionAlgValuesSupported  []string `json:"request_object_encryption_alg_values_supported"`
 66	RequestObjectEncryptionEncValuesSupported  []string `json:"request_object_encryption_enc_values_supported"`
 67	JwksUri                                    string   `json:"jwks_uri"`
 68	AuthorizationEndpoint                      string   `json:"authorization_endpoint"`
 69	TokenEndpoint                              string   `json:"token_endpoint"`
 70	TokenEndpointAuthMethodsSupported          []string `json:"token_endpoint_auth_methods_supported"`
 71	TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported"`
 72	RevocationEndpoint                         string   `json:"revocation_endpoint"`
 73	IntrospectionEndpoint                      string   `json:"introspection_endpoint"`
 74	PushedAuthorizationRequestEndpoint         string   `json:"pushed_authorization_request_endpoint"`
 75	RequirePushedAuthorizationRequests         bool     `json:"require_pushed_authorization_requests"`
 76	DpopSigningAlgValuesSupported              []string `json:"dpop_signing_alg_values_supported"`
 77	ProtectedResources                         []string `json:"protected_resources"`
 78	ClientIDMetadataDocumentSupported          bool     `json:"client_id_metadata_document_supported"`
 79}
 80
 81func (oam *OauthAuthorizationMetadata) UnmarshalJSON(b []byte) error {
 82	type Tmp OauthAuthorizationMetadata
 83	var tmp Tmp
 84
 85	if err := json.Unmarshal(b, &tmp); err != nil {
 86		return err
 87	}
 88
 89	*oam = OauthAuthorizationMetadata(tmp)
 90
 91	return nil
 92}
 93
 94func (oam *OauthAuthorizationMetadata) Validate(fetch_url *url.URL) error {
 95	if fetch_url == nil {
 96		return fmt.Errorf("fetch_url was nil")
 97	}
 98
 99	iu, err := url.Parse(oam.Issuer)
100	if err != nil {
101		return err
102	}
103
104	if iu.Hostname() != fetch_url.Hostname() {
105		return fmt.Errorf("issuer hostname does not match fetch url hostname")
106	}
107
108	if iu.Scheme != "https" {
109		return fmt.Errorf("issuer url is not https")
110	}
111
112	if iu.Port() != "" {
113		return fmt.Errorf("issuer port is not empty")
114	}
115
116	if iu.Path != "" && iu.Path != "/" {
117		return fmt.Errorf("issuer path is not /")
118	}
119
120	if iu.RawQuery != "" {
121		return fmt.Errorf("issuer url params are not empty")
122	}
123
124	if !slices.Contains(oam.ResponseTypesSupported, "code") {
125		return fmt.Errorf("`code` is not in response_types_supported")
126	}
127
128	if !slices.Contains(oam.GrantTypesSupported, "authorization_code") {
129		return fmt.Errorf("`authorization_code` is not in grant_types_supported")
130	}
131
132	if !slices.Contains(oam.GrantTypesSupported, "refresh_token") {
133		return fmt.Errorf("`refresh_token` is not in grant_types_supported")
134	}
135
136	if !slices.Contains(oam.CodeChallengeMethodsSupported, "S256") {
137		return fmt.Errorf("`S256` is not in code_challenge_methods_supported")
138	}
139
140	if !slices.Contains(oam.TokenEndpointAuthMethodsSupported, "none") {
141		return fmt.Errorf("`none` is not in token_endpoint_auth_methods_supported")
142	}
143
144	if !slices.Contains(oam.TokenEndpointAuthMethodsSupported, "private_key_jwt") {
145		return fmt.Errorf("`private_key_jwt` is not in token_endpoint_auth_methods_supported")
146	}
147
148	if !slices.Contains(oam.TokenEndpointAuthSigningAlgValuesSupported, "ES256") {
149		return fmt.Errorf("`ES256` is not in token_endpoint_auth_signing_alg_values_supported")
150	}
151
152	if !slices.Contains(oam.ScopesSupported, "atproto") {
153		return fmt.Errorf("`atproto` is not in scopes_supported")
154	}
155
156	if oam.AuthorizationResponseISSParameterSupported != true {
157		return fmt.Errorf("authorization_response_iss_parameter_supported is not true")
158	}
159
160	if oam.PushedAuthorizationRequestEndpoint == "" {
161		return fmt.Errorf("pushed_authorization_request_endpoint is empty")
162	}
163
164	if oam.RequirePushedAuthorizationRequests == false {
165		return fmt.Errorf("require_pushed_authorization_requests is false")
166	}
167
168	if !slices.Contains(oam.DpopSigningAlgValuesSupported, "ES256") {
169		return fmt.Errorf("`ES256` is not in dpop_signing_alg_values_supported")
170	}
171
172	if oam.RequireRequestUriRegistration != nil && *oam.RequireRequestUriRegistration == false {
173		return fmt.Errorf("require_request_uri_registration present in metadata and was false")
174	}
175
176	if oam.ClientIDMetadataDocumentSupported == false {
177		return fmt.Errorf("client_id_metadata_document_supported was false")
178	}
179
180	return nil
181}