zbrox.com / jacquard
forked from nonbinary.computer/jacquard
A better Rust ATProto crate
fork atom
jacquard / crates / jacquard-oauth / src / request.rs
at lifetimes 26 kB view raw
1use chrono::{TimeDelta, Utc}; 2use http::{Method, Request, StatusCode}; 3use jacquard_common::{ 4 CowStr, IntoStatic, 5 cowstr::ToCowStr, 6 http_client::HttpClient, 7 session::SessionStoreError, 8 types::{ 9 did::Did, 10 string::{AtStrError, Datetime}, 11 }, 12}; 13use jacquard_identity::resolver::IdentityError; 14use serde::Serialize; 15use serde_json::Value; 16use smol_str::ToSmolStr; 17use thiserror::Error; 18 19use crate::{ 20 FALLBACK_ALG, 21 atproto::atproto_client_metadata, 22 dpop::DpopExt, 23 jose::jwt::{RegisteredClaims, RegisteredClaimsAud}, 24 keyset::Keyset, 25 resolver::OAuthResolver, 26 scopes::Scope, 27 session::{ 28 AuthRequestData, ClientData, ClientSessionData, DpopClientData, DpopDataSource, DpopReqData, 29 }, 30 types::{ 31 AuthorizationCodeChallengeMethod, AuthorizationResponseType, AuthorizeOptionPrompt, 32 OAuthAuthorizationServerMetadata, OAuthClientMetadata, OAuthParResponse, 33 OAuthTokenResponse, ParParameters, RefreshRequestParameters, RevocationRequestParameters, 34 TokenGrantType, TokenRequestParameters, TokenSet, 35 }, 36 utils::{compare_algos, generate_dpop_key, generate_nonce, generate_pkce}, 37}; 38 39// https://datatracker.ietf.org/doc/html/rfc7523#section-2.2 40const CLIENT_ASSERTION_TYPE_JWT_BEARER: &str = 41 "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"; 42 43#[derive(Error, Debug, miette::Diagnostic)] 44pub enum RequestError { 45 #[error("no {0} endpoint available")] 46 #[diagnostic( 47 code(jacquard_oauth::request::no_endpoint), 48 help("server does not advertise this endpoint") 49 )] 50 NoEndpoint(CowStr<'static>), 51 #[error("token response verification failed")] 52 #[diagnostic(code(jacquard_oauth::request::token_verification))] 53 TokenVerification, 54 #[error("unsupported authentication method")] 55 #[diagnostic( 56 code(jacquard_oauth::request::unsupported_auth_method), 57 help( 58 "server must support `private_key_jwt` or `none`; configure client metadata accordingly" 59 ) 60 )] 61 UnsupportedAuthMethod, 62 #[error("no refresh token available")] 63 #[diagnostic(code(jacquard_oauth::request::no_refresh_token))] 64 NoRefreshToken, 65 #[error("failed to parse DID: {0}")] 66 #[diagnostic(code(jacquard_oauth::request::invalid_did))] 67 InvalidDid(#[from] AtStrError), 68 #[error(transparent)] 69 #[diagnostic(code(jacquard_oauth::request::dpop))] 70 DpopClient(#[from] crate::dpop::Error), 71 #[error(transparent)] 72 #[diagnostic(code(jacquard_oauth::request::storage))] 73 Storage(#[from] SessionStoreError), 74 75 #[error(transparent)] 76 #[diagnostic(code(jacquard_oauth::request::resolver))] 77 ResolverError(#[from] crate::resolver::ResolverError), 78 // #[error(transparent)] 79 // OAuthSession(#[from] crate::oauth_session::Error), 80 #[error(transparent)] 81 #[diagnostic(code(jacquard_oauth::request::http_build))] 82 Http(#[from] http::Error), 83 #[error("http status: {0}")] 84 #[diagnostic( 85 code(jacquard_oauth::request::http_status), 86 help("see server response for details") 87 )] 88 HttpStatus(StatusCode), 89 #[error("http status: {0}, body: {1:?}")] 90 #[diagnostic( 91 code(jacquard_oauth::request::http_status_body), 92 help("server returned error JSON; inspect fields like `error`, `error_description`") 93 )] 94 HttpStatusWithBody(StatusCode, Value), 95 #[error(transparent)] 96 #[diagnostic(code(jacquard_oauth::request::identity))] 97 Identity(#[from] IdentityError), 98 #[error(transparent)] 99 #[diagnostic(code(jacquard_oauth::request::keyset))] 100 Keyset(#[from] crate::keyset::Error), 101 #[error(transparent)] 102 #[diagnostic(code(jacquard_oauth::request::serde_form))] 103 SerdeHtmlForm(#[from] serde_html_form::ser::Error), 104 #[error(transparent)] 105 #[diagnostic(code(jacquard_oauth::request::serde_json))] 106 SerdeJson(#[from] serde_json::Error), 107 #[error(transparent)] 108 #[diagnostic(code(jacquard_oauth::request::atproto))] 109 Atproto(#[from] crate::atproto::Error), 110} 111 112pub type Result<T> = core::result::Result<T, RequestError>; 113 114#[allow(dead_code)] 115pub enum OAuthRequest<'a> { 116 Token(TokenRequestParameters<'a>), 117 Refresh(RefreshRequestParameters<'a>), 118 Revocation(RevocationRequestParameters<'a>), 119 Introspection, 120 PushedAuthorizationRequest(ParParameters<'a>), 121} 122 123impl OAuthRequest<'_> { 124 pub fn name(&self) -> CowStr<'static> { 125 CowStr::new_static(match self { 126 Self::Token(_) => "token", 127 Self::Refresh(_) => "refresh", 128 Self::Revocation(_) => "revocation", 129 Self::Introspection => "introspection", 130 Self::PushedAuthorizationRequest(_) => "pushed_authorization_request", 131 }) 132 } 133 pub fn expected_status(&self) -> StatusCode { 134 match self { 135 Self::Token(_) | Self::Refresh(_) => StatusCode::OK, 136 Self::PushedAuthorizationRequest(_) => StatusCode::CREATED, 137 // Unlike https://datatracker.ietf.org/doc/html/rfc7009#section-2.2, oauth-provider seems to return `204`. 138 Self::Revocation(_) => StatusCode::NO_CONTENT, 139 _ => unimplemented!(), 140 } 141 } 142} 143 144#[derive(Debug, Serialize)] 145pub struct RequestPayload<'a, T> 146where 147 T: Serialize, 148{ 149 client_id: CowStr<'a>, 150 #[serde(skip_serializing_if = "Option::is_none")] 151 client_assertion_type: Option<CowStr<'a>>, 152 #[serde(skip_serializing_if = "Option::is_none")] 153 client_assertion: Option<CowStr<'a>>, 154 #[serde(flatten)] 155 parameters: T, 156} 157 158#[derive(Debug, Clone)] 159pub struct OAuthMetadata { 160 pub server_metadata: OAuthAuthorizationServerMetadata<'static>, 161 pub client_metadata: OAuthClientMetadata<'static>, 162 pub keyset: Option<Keyset>, 163} 164 165impl OAuthMetadata { 166 pub async fn new<'r, T: HttpClient + OAuthResolver + Send + Sync>( 167 client: &T, 168 ClientData { keyset, config }: &ClientData<'r>, 169 session_data: &ClientSessionData<'r>, 170 ) -> Result<Self> { 171 Ok(OAuthMetadata { 172 server_metadata: client 173 .get_authorization_server_metadata(&session_data.authserver_url) 174 .await?, 175 client_metadata: atproto_client_metadata(config.clone(), &keyset) 176 .unwrap() 177 .into_static(), 178 keyset: keyset.clone(), 179 }) 180 } 181} 182 183pub async fn par<'r, T: OAuthResolver + DpopExt + Send + Sync + 'static>( 184 client: &T, 185 login_hint: Option<CowStr<'r>>, 186 prompt: Option<AuthorizeOptionPrompt>, 187 metadata: &OAuthMetadata, 188) -> crate::request::Result<AuthRequestData<'r>> { 189 let state = generate_nonce(); 190 let (code_challenge, verifier) = generate_pkce(); 191 192 let Some(dpop_key) = generate_dpop_key(&metadata.server_metadata) else { 193 return Err(RequestError::TokenVerification); 194 }; 195 let mut dpop_data = DpopReqData { 196 dpop_key, 197 dpop_authserver_nonce: None, 198 }; 199 let parameters = ParParameters { 200 response_type: AuthorizationResponseType::Code, 201 redirect_uri: metadata.client_metadata.redirect_uris[0].to_cowstr(), 202 state: state.clone(), 203 scope: metadata.client_metadata.scope.clone(), 204 response_mode: None, 205 code_challenge, 206 code_challenge_method: AuthorizationCodeChallengeMethod::S256, 207 login_hint: login_hint, 208 prompt: prompt.map(CowStr::from), 209 }; 210 println!("Parameters: {:?}", parameters); 211 if metadata 212 .server_metadata 213 .pushed_authorization_request_endpoint 214 .is_some() 215 { 216 let par_response = oauth_request::<OAuthParResponse, T, DpopReqData>( 217 &client, 218 &mut dpop_data, 219 OAuthRequest::PushedAuthorizationRequest(parameters), 220 metadata, 221 ) 222 .await?; 223 224 let scopes = if let Some(scope) = &metadata.client_metadata.scope { 225 Scope::parse_multiple_reduced(&scope) 226 .expect("Failed to parse scopes") 227 .into_static() 228 } else { 229 vec![] 230 }; 231 let auth_req_data = AuthRequestData { 232 state, 233 authserver_url: url::Url::parse(&metadata.server_metadata.issuer) 234 .expect("Failed to parse issuer URL"), 235 account_did: None, 236 scopes, 237 request_uri: par_response.request_uri.to_cowstr().into_static(), 238 authserver_token_endpoint: metadata.server_metadata.token_endpoint.clone(), 239 authserver_revocation_endpoint: metadata.server_metadata.revocation_endpoint.clone(), 240 pkce_verifier: verifier, 241 dpop_data, 242 }; 243 244 Ok(auth_req_data) 245 } else if metadata 246 .server_metadata 247 .require_pushed_authorization_requests 248 == Some(true) 249 { 250 Err(RequestError::NoEndpoint(CowStr::new_static( 251 "pushed_authorization_request", 252 ))) 253 } else { 254 todo!("use of PAR is mandatory") 255 } 256} 257 258pub async fn refresh<'r, T>( 259 client: &T, 260 mut session_data: ClientSessionData<'r>, 261 metadata: &OAuthMetadata, 262) -> Result<ClientSessionData<'r>> 263where 264 T: OAuthResolver + DpopExt + Send + Sync + 'static, 265{ 266 let Some(refresh_token) = session_data.token_set.refresh_token.as_ref() else { 267 return Err(RequestError::NoRefreshToken); 268 }; 269 270 // /!\ IMPORTANT /!\ 271 // 272 // The "sub" MUST be a DID, whose issuer authority is indeed the server we 273 // are trying to obtain credentials from. Note that we are doing this 274 // *before* we actually try to refresh the token: 275 // 1) To avoid unnecessary refresh 276 // 2) So that the refresh is the last async operation, ensuring as few 277 // async operations happen before the result gets a chance to be stored. 278 let aud = client 279 .verify_issuer(&metadata.server_metadata, &session_data.token_set.sub) 280 .await?; 281 let iss = metadata.server_metadata.issuer.clone(); 282 283 let response = oauth_request::<OAuthTokenResponse, T, DpopClientData>( 284 client, 285 &mut session_data.dpop_data, 286 OAuthRequest::Refresh(RefreshRequestParameters { 287 grant_type: TokenGrantType::RefreshToken, 288 refresh_token: refresh_token.clone(), 289 scope: None, 290 }), 291 metadata, 292 ) 293 .await?; 294 295 let expires_at = response.expires_in.and_then(|expires_in| { 296 let now = Datetime::now(); 297 now.as_ref() 298 .checked_add_signed(TimeDelta::seconds(expires_in)) 299 .map(Datetime::new) 300 }); 301 302 session_data.update_with_tokens(TokenSet { 303 iss, 304 sub: session_data.token_set.sub.clone(), 305 aud: CowStr::Owned(aud.to_smolstr()), 306 scope: response.scope.map(CowStr::Owned), 307 access_token: CowStr::Owned(response.access_token), 308 refresh_token: response.refresh_token.map(CowStr::Owned), 309 token_type: response.token_type, 310 expires_at, 311 }); 312 313 Ok(session_data) 314} 315 316pub async fn exchange_code<'r, T, D>( 317 client: &T, 318 data_source: &'r mut D, 319 code: &str, 320 verifier: &str, 321 metadata: &OAuthMetadata, 322) -> Result<TokenSet<'r>> 323where 324 T: OAuthResolver + DpopExt + Send + Sync + 'static, 325 D: DpopDataSource, 326{ 327 let token_response = oauth_request::<OAuthTokenResponse, T, D>( 328 client, 329 data_source, 330 OAuthRequest::Token(TokenRequestParameters { 331 grant_type: TokenGrantType::AuthorizationCode, 332 code: code.into(), 333 redirect_uri: CowStr::Owned( 334 metadata.client_metadata.redirect_uris[0] 335 .clone() 336 .to_smolstr(), 337 ), 338 code_verifier: verifier.into(), 339 }), 340 metadata, 341 ) 342 .await?; 343 let Some(sub) = token_response.sub else { 344 return Err(RequestError::TokenVerification); 345 }; 346 let sub = Did::new_owned(sub)?; 347 let iss = metadata.server_metadata.issuer.clone(); 348 // /!\ IMPORTANT /!\ 349 // 350 // The token_response MUST always be valid before the "sub" it contains 351 // can be trusted (see Atproto's OAuth spec for details). 352 let aud = client 353 .verify_issuer(&metadata.server_metadata, &sub) 354 .await?; 355 356 let expires_at = token_response.expires_in.and_then(|expires_in| { 357 Datetime::now() 358 .as_ref() 359 .checked_add_signed(TimeDelta::seconds(expires_in)) 360 .map(Datetime::new) 361 }); 362 Ok(TokenSet { 363 iss, 364 sub, 365 aud: CowStr::Owned(aud.to_smolstr()), 366 scope: token_response.scope.map(CowStr::Owned), 367 access_token: CowStr::Owned(token_response.access_token), 368 refresh_token: token_response.refresh_token.map(CowStr::Owned), 369 token_type: token_response.token_type, 370 expires_at, 371 }) 372} 373 374pub async fn revoke<'r, T, D>( 375 client: &T, 376 data_source: &'r mut D, 377 token: &str, 378 metadata: &OAuthMetadata, 379) -> Result<()> 380where 381 T: OAuthResolver + DpopExt + Send + Sync + 'static, 382 D: DpopDataSource, 383{ 384 oauth_request::<(), T, D>( 385 client, 386 data_source, 387 OAuthRequest::Revocation(RevocationRequestParameters { 388 token: token.into(), 389 }), 390 metadata, 391 ) 392 .await?; 393 Ok(()) 394} 395 396pub async fn oauth_request<'de: 'r, 'r, O, T, D>( 397 client: &T, 398 data_source: &'r mut D, 399 request: OAuthRequest<'r>, 400 metadata: &OAuthMetadata, 401) -> Result<O> 402where 403 T: OAuthResolver + DpopExt + Send + Sync + 'static, 404 O: serde::de::DeserializeOwned, 405 D: DpopDataSource, 406{ 407 let Some(url) = endpoint_for_req(&metadata.server_metadata, &request) else { 408 return Err(RequestError::NoEndpoint(request.name())); 409 }; 410 let client_assertions = build_auth( 411 metadata.keyset.as_ref(), 412 &metadata.server_metadata, 413 &metadata.client_metadata, 414 )?; 415 let body = match &request { 416 OAuthRequest::Token(params) => build_oauth_req_body(client_assertions, params)?, 417 OAuthRequest::Refresh(params) => build_oauth_req_body(client_assertions, params)?, 418 OAuthRequest::Revocation(params) => build_oauth_req_body(client_assertions, params)?, 419 OAuthRequest::PushedAuthorizationRequest(params) => { 420 build_oauth_req_body(client_assertions, params)? 421 } 422 _ => unimplemented!(), 423 }; 424 let req = Request::builder() 425 .uri(url.to_string()) 426 .method(Method::POST) 427 .header("Content-Type", "application/x-www-form-urlencoded") 428 .body(body.into_bytes())?; 429 let res = client 430 .dpop_server_call(data_source) 431 .send(req) 432 .await 433 .map_err(RequestError::DpopClient)?; 434 if res.status() == request.expected_status() { 435 let body = res.body(); 436 if body.is_empty() { 437 // since an empty body cannot be deserialized, use “null” temporarily to allow deserialization to `()`. 438 Ok(serde_json::from_slice(b"null")?) 439 } else { 440 let output: O = serde_json::from_slice(body)?; 441 Ok(output) 442 } 443 } else if res.status().is_client_error() { 444 Err(RequestError::HttpStatusWithBody( 445 res.status(), 446 serde_json::from_slice(res.body())?, 447 )) 448 } else { 449 Err(RequestError::HttpStatus(res.status())) 450 } 451} 452 453#[inline] 454fn endpoint_for_req<'a, 'r>( 455 server_metadata: &'r OAuthAuthorizationServerMetadata<'a>, 456 request: &'r OAuthRequest, 457) -> Option<&'r CowStr<'a>> { 458 match request { 459 OAuthRequest::Token(_) | OAuthRequest::Refresh(_) => Some(&server_metadata.token_endpoint), 460 OAuthRequest::Revocation(_) => server_metadata.revocation_endpoint.as_ref(), 461 OAuthRequest::Introspection => server_metadata.introspection_endpoint.as_ref(), 462 OAuthRequest::PushedAuthorizationRequest(_) => server_metadata 463 .pushed_authorization_request_endpoint 464 .as_ref(), 465 } 466} 467 468#[inline] 469fn build_oauth_req_body<'a, S>(client_assertions: ClientAuth<'a>, parameters: S) -> Result<String> 470where 471 S: Serialize, 472{ 473 Ok(serde_html_form::to_string(RequestPayload { 474 client_id: client_assertions.client_id, 475 client_assertion_type: client_assertions.assertion_type, 476 client_assertion: client_assertions.assertion, 477 parameters, 478 })?) 479} 480 481#[derive(Debug, Clone, Default)] 482pub struct ClientAuth<'a> { 483 client_id: CowStr<'a>, 484 assertion_type: Option<CowStr<'a>>, // either none or `CLIENT_ASSERTION_TYPE_JWT_BEARER` 485 assertion: Option<CowStr<'a>>, 486} 487 488impl<'s> ClientAuth<'s> { 489 pub fn new_id(client_id: CowStr<'s>) -> Self { 490 Self { 491 client_id, 492 assertion_type: None, 493 assertion: None, 494 } 495 } 496} 497 498fn build_auth<'a>( 499 keyset: Option<&Keyset>, 500 server_metadata: &OAuthAuthorizationServerMetadata<'a>, 501 client_metadata: &OAuthClientMetadata<'a>, 502) -> Result<ClientAuth<'a>> { 503 let method_supported = server_metadata 504 .token_endpoint_auth_methods_supported 505 .as_ref(); 506 507 let client_id = client_metadata.client_id.to_cowstr().into_static(); 508 if let Some(method) = client_metadata.token_endpoint_auth_method.as_ref() { 509 match (*method).as_ref() { 510 "private_key_jwt" 511 if method_supported 512 .as_ref() 513 .is_some_and(|v| v.contains(&CowStr::new_static("private_key_jwt"))) => 514 { 515 if let Some(keyset) = &keyset { 516 let mut algs = server_metadata 517 .token_endpoint_auth_signing_alg_values_supported 518 .clone() 519 .unwrap_or(vec![FALLBACK_ALG.into()]); 520 algs.sort_by(compare_algos); 521 let iat = Utc::now().timestamp(); 522 return Ok(ClientAuth { 523 client_id: client_id.clone(), 524 assertion_type: Some(CowStr::new_static(CLIENT_ASSERTION_TYPE_JWT_BEARER)), 525 assertion: Some( 526 keyset.create_jwt( 527 &algs, 528 // https://datatracker.ietf.org/doc/html/rfc7523#section-3 529 RegisteredClaims { 530 iss: Some(client_id.clone()), 531 sub: Some(client_id), 532 aud: Some(RegisteredClaimsAud::Single( 533 server_metadata.issuer.clone(), 534 )), 535 exp: Some(iat + 60), 536 // "iat" is required and **MUST** be less than one minute 537 // https://datatracker.ietf.org/doc/html/rfc9101 538 iat: Some(iat), 539 // atproto oauth-provider requires "jti" to be present 540 jti: Some(generate_nonce()), 541 ..Default::default() 542 } 543 .into(), 544 )?, 545 ), 546 }); 547 } 548 } 549 "none" 550 if method_supported 551 .as_ref() 552 .is_some_and(|v| v.contains(&CowStr::new_static("none"))) => 553 { 554 return Ok(ClientAuth::new_id(client_id)); 555 } 556 _ => {} 557 } 558 } 559 560 Err(RequestError::UnsupportedAuthMethod) 561} 562 563#[cfg(test)] 564mod tests { 565 use super::*; 566 use crate::types::{OAuthAuthorizationServerMetadata, OAuthClientMetadata}; 567 use bytes::Bytes; 568 use http::{Response as HttpResponse, StatusCode}; 569 use jacquard_common::http_client::HttpClient; 570 use jacquard_identity::resolver::IdentityResolver; 571 use std::sync::Arc; 572 use tokio::sync::Mutex; 573 574 #[derive(Clone, Default)] 575 struct MockClient { 576 resp: Arc<Mutex<Option<HttpResponse<Vec<u8>>>>>, 577 } 578 579 impl HttpClient for MockClient { 580 type Error = std::convert::Infallible; 581 fn send_http( 582 &self, 583 _request: http::Request<Vec<u8>>, 584 ) -> impl core::future::Future< 585 Output = core::result::Result<http::Response<Vec<u8>>, Self::Error>, 586 > + Send { 587 let resp = self.resp.clone(); 588 async move { Ok(resp.lock().await.take().unwrap()) } 589 } 590 } 591 592 // IdentityResolver methods won't be called in these tests; provide stubs. 593 impl IdentityResolver for MockClient { 594 fn options(&self) -> &jacquard_identity::resolver::ResolverOptions { 595 use std::sync::LazyLock; 596 static OPTS: LazyLock<jacquard_identity::resolver::ResolverOptions> = 597 LazyLock::new(|| jacquard_identity::resolver::ResolverOptions::default()); 598 &OPTS 599 } 600 async fn resolve_handle( 601 &self, 602 _handle: &jacquard_common::types::string::Handle<'_>, 603 ) -> std::result::Result< 604 jacquard_common::types::string::Did<'static>, 605 jacquard_identity::resolver::IdentityError, 606 > { 607 Ok(jacquard_common::types::string::Did::new_static("did:plc:alice").unwrap()) 608 } 609 async fn resolve_did_doc( 610 &self, 611 _did: &jacquard_common::types::string::Did<'_>, 612 ) -> std::result::Result< 613 jacquard_identity::resolver::DidDocResponse, 614 jacquard_identity::resolver::IdentityError, 615 > { 616 let doc = serde_json::json!({ 617 "id": "did:plc:alice", 618 "service": [{ 619 "id": "#pds", 620 "type": "AtprotoPersonalDataServer", 621 "serviceEndpoint": "https://pds" 622 }] 623 }); 624 let buf = Bytes::from(serde_json::to_vec(&doc).unwrap()); 625 Ok(jacquard_identity::resolver::DidDocResponse { 626 buffer: buf, 627 status: StatusCode::OK, 628 requested: None, 629 }) 630 } 631 } 632 633 // Allow using DPoP helpers on MockClient 634 impl crate::dpop::DpopExt for MockClient {} 635 impl crate::resolver::OAuthResolver for MockClient {} 636 637 fn base_metadata() -> OAuthMetadata { 638 let mut server = OAuthAuthorizationServerMetadata::default(); 639 server.issuer = CowStr::from("https://issuer"); 640 server.authorization_endpoint = CowStr::from("https://issuer/authorize"); 641 server.token_endpoint = CowStr::from("https://issuer/token"); 642 OAuthMetadata { 643 server_metadata: server, 644 client_metadata: OAuthClientMetadata { 645 client_id: url::Url::parse("https://client").unwrap(), 646 client_uri: None, 647 redirect_uris: vec![url::Url::parse("https://client/cb").unwrap()], 648 scope: Some(CowStr::from("atproto")), 649 grant_types: None, 650 token_endpoint_auth_method: Some(CowStr::from("none")), 651 dpop_bound_access_tokens: None, 652 jwks_uri: None, 653 jwks: None, 654 token_endpoint_auth_signing_alg: None, 655 }, 656 keyset: None, 657 } 658 } 659 660 #[tokio::test] 661 async fn par_missing_endpoint() { 662 let mut meta = base_metadata(); 663 meta.server_metadata.require_pushed_authorization_requests = Some(true); 664 meta.server_metadata.pushed_authorization_request_endpoint = None; 665 // require_pushed_authorization_requests is true and no endpoint 666 let err = super::par(&MockClient::default(), None, None, &meta) 667 .await 668 .unwrap_err(); 669 match err { 670 RequestError::NoEndpoint(name) => { 671 assert_eq!(name.as_ref(), "pushed_authorization_request"); 672 } 673 other => panic!("unexpected: {other:?}"), 674 } 675 } 676 677 #[tokio::test] 678 async fn refresh_no_refresh_token() { 679 let client = MockClient::default(); 680 let meta = base_metadata(); 681 let session = ClientSessionData { 682 account_did: jacquard_common::types::string::Did::new_static("did:plc:alice").unwrap(), 683 session_id: CowStr::from("state"), 684 host_url: url::Url::parse("https://pds").unwrap(), 685 authserver_url: url::Url::parse("https://issuer").unwrap(), 686 authserver_token_endpoint: CowStr::from("https://issuer/token"), 687 authserver_revocation_endpoint: None, 688 scopes: vec![], 689 dpop_data: DpopClientData { 690 dpop_key: crate::utils::generate_key(&[CowStr::from("ES256")]).unwrap(), 691 dpop_authserver_nonce: CowStr::from(""), 692 dpop_host_nonce: CowStr::from(""), 693 }, 694 token_set: crate::types::TokenSet { 695 iss: CowStr::from("https://issuer"), 696 sub: jacquard_common::types::string::Did::new_static("did:plc:alice").unwrap(), 697 aud: CowStr::from("https://pds"), 698 scope: None, 699 refresh_token: None, 700 access_token: CowStr::from("abc"), 701 token_type: crate::types::OAuthTokenType::DPoP, 702 expires_at: None, 703 }, 704 }; 705 let err = super::refresh(&client, session, &meta).await.unwrap_err(); 706 matches!(err, RequestError::NoRefreshToken); 707 } 708 709 #[tokio::test] 710 async fn exchange_code_missing_sub() { 711 let client = MockClient::default(); 712 // set mock HTTP response body: token response without `sub` 713 *client.resp.lock().await = Some( 714 HttpResponse::builder() 715 .status(StatusCode::OK) 716 .body( 717 serde_json::to_vec(&serde_json::json!({ 718 "access_token":"tok", 719 "token_type":"DPoP", 720 "expires_in": 3600 721 })) 722 .unwrap(), 723 ) 724 .unwrap(), 725 ); 726 let meta = base_metadata(); 727 let mut dpop = DpopReqData { 728 dpop_key: crate::utils::generate_key(&[CowStr::from("ES256")]).unwrap(), 729 dpop_authserver_nonce: None, 730 }; 731 let err = super::exchange_code(&client, &mut dpop, "abc", "verifier", &meta) 732 .await 733 .unwrap_err(); 734 matches!(err, RequestError::TokenVerification); 735 } 736}