hailey.at / atproto-oauth-golang
this repo has no description
fork atom

rename method

hailey.at 98153a3d 4982663b

options
unified split
Changed files
+15 -15
oauth.go
+15 -15
oauth.go 
···

       
70

       
 

       
	}, nil


     

       
71

       
 

       
}


     

       
72

       
 

       



     

       
73

       
-

       
func (o *OauthClient) ResolvePDSAuthServer(ctx context.Context, ustr string) (string, error) {


     

       
74

       
 

       
	u, err := isSafeAndParsed(ustr)


     

       
75

       
 

       
	if err != nil {


     

       
76

       
 

       
		return "", err


     
···

       
83

       
 

       
		return "", fmt.Errorf("error creating request for oauth protected resource: %w", err)


     

       
84

       
 

       
	}


     

       
85

       
 

       



     

       
86

       
-

       
	resp, err := o.h.Do(req)


     

       
87

       
 

       
	if err != nil {


     

       
88

       
 

       
		return "", fmt.Errorf("could not get response from server: %w", err)


     

       
89

       
 

       
	}


     
···

       
111

       
 

       
	return resource.AuthorizationServers[0], nil


     

       
112

       
 

       
}


     

       
113

       
 

       



     

       
114

       
-

       
func (o *OauthClient) FetchAuthServerMetadata(ctx context.Context, ustr string) (any, error) {


     

       
115

       
 

       
	u, err := isSafeAndParsed(ustr)


     

       
116

       
 

       
	if err != nil {


     

       
117

       
 

       
		return nil, err


     
···

       
124

       
 

       
		return nil, fmt.Errorf("error creating request to fetch auth metadata: %w", err)


     

       
125

       
 

       
	}


     

       
126

       
 

       



     

       
127

       
-

       
	resp, err := o.h.Do(req)


     

       
128

       
 

       
	if err != nil {


     

       
129

       
 

       
		return nil, fmt.Errorf("error getting response for auth metadata: %w", err)


     

       
130

       
 

       
	}


     
···

       
152

       
 

       
	return metadata, nil


     

       
153

       
 

       
}


     

       
154

       
 

       



     

       
155

       
-

       
func (o *OauthClient) ClientAssertionJwt(authServerUrl string) (string, error) {


     

       
156

       
 

       
	claims := jwt.MapClaims{


     

       
157

       
-

       
		"iss": o.clientId,


     

       
158

       
-

       
		"sub": o.clientId,


     

       
159

       
 

       
		"aud": authServerUrl,


     

       
160

       
 

       
		"jti": uuid.NewString(),


     

       
161

       
 

       
		"iat": time.Now().Unix(),


     

       
162

       
 

       
	}


     

       
163

       
 

       



     

       
164

       
 

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       
165

       
-

       
	token.Header["kid"] = o.clientKid


     

       
166

       
 

       



     

       
167

       
-

       
	tokenString, err := token.SignedString(o.clientPrivateKey)


     

       
168

       
 

       
	if err != nil {


     

       
169

       
 

       
		return "", err


     

       
170

       
 

       
	}


     
···

       
172

       
 

       
	return tokenString, nil


     

       
173

       
 

       
}


     

       
174

       
 

       



     

       
175

       
-

       
func (o *OauthClient) AuthServerDpopJwt(method, url, nonce string, privateJwk jwk.Key) (string, error) {


     

       
176

       
 

       
	raw, err := jwk.PublicKeyOf(privateJwk)


     

       
177

       
 

       
	if err != nil {


     

       
178

       
 

       
		return "", err


     
···

       
225

       
 

       
	return tokenString, nil


     

       
226

       
 

       
}


     

       
227

       
 

       



     

       
228

       
-

       
func (o *OauthClient) SendParAuthRequest(ctx context.Context, authServerUrl string, authServerMeta *OauthAuthorizationMetadata, loginHint, scope string, dpopPrivateKey jwk.Key) (any, error) {


     

       
229

       
 

       
	if authServerMeta == nil {


     

       
230

       
 

       
		return nil, fmt.Errorf("nil metadata provided")


     

       
231

       
 

       
	}


     
···

       
245

       
 

       
	codeChallenge := generateCodeChallenge(pkceVerifier)


     

       
246

       
 

       
	codeChallengeMethod := "S256"


     

       
247

       
 

       



     

       
248

       
-

       
	clientAssertion, err := o.ClientAssertionJwt(authServerUrl)


     

       
249

       
 

       
	if err != nil {


     

       
250

       
 

       
		return nil, err


     

       
251

       
 

       
	}


     

       
252

       
 

       



     

       
253

       
 

       
	// TODO: ??


     

       
254

       
 

       
	nonce := ""


     

       
255

       
-

       
	dpopProof, err := o.AuthServerDpopJwt("POST", parUrl, nonce, dpopPrivateKey)


     

       
256

       
 

       
	if err != nil {


     

       
257

       
 

       
		return nil, err


     

       
258

       
 

       
	}


     
···

       
261

       
 

       
		"response_type":         "code",


     

       
262

       
 

       
		"code_challenge":        codeChallenge,


     

       
263

       
 

       
		"code_challenge_method": codeChallengeMethod,


     

       
264

       
-

       
		"client_id":             o.clientId,


     

       
265

       
 

       
		"state":                 state,


     

       
266

       
-

       
		"redirect_uri":          o.redirectUri,


     

       
267

       
 

       
		"scope":                 scope,


     

       
268

       
 

       
		"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",


     

       
269

       
 

       
		"client_assertion":      clientAssertion,


     
···

       
70

       
 

       
	}, nil


     

       
71

       
 

       
}


     

       
72

       
 

       



     

       
73

       
+

       
func (c *OauthClient) ResolvePDSAuthServer(ctx context.Context, ustr string) (string, error) {


     

       
74

       
 

       
	u, err := isSafeAndParsed(ustr)


     

       
75

       
 

       
	if err != nil {


     

       
76

       
 

       
		return "", err


     
···

       
83

       
 

       
		return "", fmt.Errorf("error creating request for oauth protected resource: %w", err)


     

       
84

       
 

       
	}


     

       
85

       
 

       



     

       
86

       
+

       
	resp, err := c.h.Do(req)


     

       
87

       
 

       
	if err != nil {


     

       
88

       
 

       
		return "", fmt.Errorf("could not get response from server: %w", err)


     

       
89

       
 

       
	}


     
···

       
111

       
 

       
	return resource.AuthorizationServers[0], nil


     

       
112

       
 

       
}


     

       
113

       
 

       



     

       
114

       
+

       
func (c *OauthClient) FetchAuthServerMetadata(ctx context.Context, ustr string) (any, error) {


     

       
115

       
 

       
	u, err := isSafeAndParsed(ustr)


     

       
116

       
 

       
	if err != nil {


     

       
117

       
 

       
		return nil, err


     
···

       
124

       
 

       
		return nil, fmt.Errorf("error creating request to fetch auth metadata: %w", err)


     

       
125

       
 

       
	}


     

       
126

       
 

       



     

       
127

       
+

       
	resp, err := c.h.Do(req)


     

       
128

       
 

       
	if err != nil {


     

       
129

       
 

       
		return nil, fmt.Errorf("error getting response for auth metadata: %w", err)


     

       
130

       
 

       
	}


     
···

       
152

       
 

       
	return metadata, nil


     

       
153

       
 

       
}


     

       
154

       
 

       



     

       
155

       
+

       
func (c *OauthClient) ClientAssertionJwt(authServerUrl string) (string, error) {


     

       
156

       
 

       
	claims := jwt.MapClaims{


     

       
157

       
+

       
		"iss": c.clientId,


     

       
158

       
+

       
		"sub": c.clientId,


     

       
159

       
 

       
		"aud": authServerUrl,


     

       
160

       
 

       
		"jti": uuid.NewString(),


     

       
161

       
 

       
		"iat": time.Now().Unix(),


     

       
162

       
 

       
	}


     

       
163

       
 

       



     

       
164

       
 

       
	token := jwt.NewWithClaims(jwt.SigningMethodES256, claims)


     

       
165

       
+

       
	token.Header["kid"] = c.clientKid


     

       
166

       
 

       



     

       
167

       
+

       
	tokenString, err := token.SignedString(c.clientPrivateKey)


     

       
168

       
 

       
	if err != nil {


     

       
169

       
 

       
		return "", err


     

       
170

       
 

       
	}


     
···

       
172

       
 

       
	return tokenString, nil


     

       
173

       
 

       
}


     

       
174

       
 

       



     

       
175

       
+

       
func (c *OauthClient) AuthServerDpopJwt(method, url, nonce string, privateJwk jwk.Key) (string, error) {


     

       
176

       
 

       
	raw, err := jwk.PublicKeyOf(privateJwk)


     

       
177

       
 

       
	if err != nil {


     

       
178

       
 

       
		return "", err


     
···

       
225

       
 

       
	return tokenString, nil


     

       
226

       
 

       
}


     

       
227

       
 

       



     

       
228

       
+

       
func (c *OauthClient) SendParAuthRequest(ctx context.Context, authServerUrl string, authServerMeta *OauthAuthorizationMetadata, loginHint, scope string, dpopPrivateKey jwk.Key) (any, error) {


     

       
229

       
 

       
	if authServerMeta == nil {


     

       
230

       
 

       
		return nil, fmt.Errorf("nil metadata provided")


     

       
231

       
 

       
	}


     
···

       
245

       
 

       
	codeChallenge := generateCodeChallenge(pkceVerifier)


     

       
246

       
 

       
	codeChallengeMethod := "S256"


     

       
247

       
 

       



     

       
248

       
+

       
	clientAssertion, err := c.ClientAssertionJwt(authServerUrl)


     

       
249

       
 

       
	if err != nil {


     

       
250

       
 

       
		return nil, err


     

       
251

       
 

       
	}


     

       
252

       
 

       



     

       
253

       
 

       
	// TODO: ??


     

       
254

       
 

       
	nonce := ""


     

       
255

       
+

       
	dpopProof, err := c.AuthServerDpopJwt("POST", parUrl, nonce, dpopPrivateKey)


     

       
256

       
 

       
	if err != nil {


     

       
257

       
 

       
		return nil, err


     

       
258

       
 

       
	}


     
···

       
261

       
 

       
		"response_type":         "code",


     

       
262

       
 

       
		"code_challenge":        codeChallenge,


     

       
263

       
 

       
		"code_challenge_method": codeChallengeMethod,


     

       
264

       
+

       
		"client_id":             c.clientId,


     

       
265

       
 

       
		"state":                 state,


     

       
266

       
+

       
		"redirect_uri":          c.redirectUri,


     

       
267

       
 

       
		"scope":                 scope,


     

       
268

       
 

       
		"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",


     

       
269

       
 

       
		"client_assertion":      clientAssertion,