60 Commits

Author SHA1 Message Date
github-actions[bot]
e216e87859
Version packages (#4167)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-09-09 12:29:10 +02:00
github-actions[bot]
920f895807
Version packages (#4152)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-29 12:54:51 +02:00
Matthieu Sieben
86c4699da8
Improve oauth client callback handling (#4150) 2025-08-29 12:45:35 +02:00
Matthieu Sieben
f65afa33f5
Support multiple redirect URIs for @atproto/oauth-client-browser #4144 (#4147)
* Support multiple redirect URIs for @atproto/oauth-client-browser

* For redirect_uri callback parameter type

* fix-type-error

* Do not fail if the client can't figure out which redirect uri was used (and only one is available)

---------

Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
2025-08-28 17:57:38 +02:00
github-actions[bot]
768e81b232
Version packages (#4126)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-27 13:36:05 -04:00
github-actions[bot]
5188ef3b59
Version packages (#4116)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-20 21:48:51 +02:00
github-actions[bot]
d02d43c05b
Version packages (#4102)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-13 15:22:03 +02:00
github-actions[bot]
f27ae66432
Version packages (#4024)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-07-11 20:35:18 +02:00
github-actions[bot]
b70f62c6b9
Version packages (#3988)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-24 06:17:02 -07:00
github-actions[bot]
bc2c578203
Version packages (#3979)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-20 10:54:34 +02:00
github-actions[bot]
9f9a08648b
Version packages (#3975)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-19 20:43:13 +02:00
github-actions[bot]
71a0a026c1
Version packages (#3947)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-13 13:49:11 -05:00
github-actions[bot]
c2b57e3f65
Version packages (#3944)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-11 16:49:12 -05:00
github-actions[bot]
93bf69df96
Version packages (#3936)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-06 20:20:02 -03:00
github-actions[bot]
623c95d01e
Version packages (#3924)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-05 14:59:03 +02:00
github-actions[bot]
bae3ef91fc
Version packages (#3897)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-05-27 21:31:22 -05:00
github-actions[bot]
d6c40d6559
Version packages (#3878) 2025-05-26 22:04:18 +03:00
github-actions[bot]
0a2c30dd97
Version packages (#3872)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-05-20 15:15:10 -07:00
github-actions[bot]
b36014dac5
Version packages (#3803)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-05-05 17:44:12 -03:00
github-actions[bot]
90e9a20d31
Version packages (#3777)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-18 11:11:53 +02:00
github-actions[bot]
bf0faed1f8
Version packages (#3748)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-15 17:35:49 +02:00
Matthieu Sieben
371e04aad2
Account management page (#3659)
---------

Co-authored-by: Eric Bailey <git@esb.lol>
2025-04-15 17:15:27 +02:00
github-actions[bot]
6bc8355c40
Version packages (#3710)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-02 18:38:47 -05:00
github-actions[bot]
c777ba6d68
Version packages (#3631)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-03-20 15:21:15 +01:00
github-actions[bot]
f46554bcb8
Version packages (#3591)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-03-07 11:03:00 -05:00
github-actions[bot]
03351a5818
Version packages (#3529)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-02-13 15:27:09 +01:00
github-actions[bot]
799dd925e9
Version packages (#3493)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-02-05 17:50:10 -06:00
Matthieu Sieben
61dc0d60e1
Add linting rule to sort imports (#3220)
* Add linting rule to sort imports

* remove spacing between import groups

* changeset

* changeset

* prettier config fine tuning

* forbid use of deprecated imports

* tidy
2025-02-05 15:06:58 +01:00
github-actions[bot]
1c195a3845
Version packages (#3442)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-01-31 18:01:32 -06:00
github-actions[bot]
a44db38d05
Version packages (#3345)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-01-13 16:32:43 -08:00
github-actions[bot]
7aecc57dbb
Version packages (#3331)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-01-07 09:29:57 -05:00
github-actions[bot]
85a437800d
Version packages (#3259)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-12-19 11:41:41 -05:00
github-actions[bot]
51b0c48ce7
Version packages (#3188)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-12-11 14:11:08 -06:00
github-actions[bot]
21542d4484
Version packages (#3136)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-12-05 11:51:46 +00:00
github-actions[bot]
53fcc2fbcb
Version packages (#3100)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-11-25 21:22:04 -05:00
Hwee-Boon Yar
36280bed10
Fix: typo (#3101) 2024-11-25 14:22:45 -05:00
github-actions[bot]
3a5fc92a74
Version packages (#2962)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-11-13 17:00:25 -06:00
github-actions[bot]
c307a75db1
Version packages (#2889)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-10-24 11:32:50 -05:00
Matthieu Sieben
9d40ccbb69
Various OAuth related fixes (#2871)
* wip

* tidy

* tidy

* tidy

* Update packages/oauth/oauth-client/src/session-getter.ts

Co-authored-by: devin ivy <devinivy@gmail.com>

* fix combineSignals

* tidy

* tidy

* improve typing of atprotoScopeSchema

* stronger typings

* tidy

* ci

* Fix cors error

* downgrade ioredis dependency

* fix ioredis version

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2024-10-18 20:23:33 +02:00
Matthieu Sieben
7f26b17652
Add OAuth tests (#2874)
* Improve error message when using invalid client_id during code exchange

* Extract SPA example OAuth client in own package

* wip

* remove dependency on get-port

* Properly configure jest to only transpile "get-port" from node_modules

https://jestjs.io/docs/configuration#transformignorepatterns-arraystring

* Use dynamically assigned port number during tests

* use puppeteer to run tests

* remove login input "id" attribute

* code style

* add missing declaration

* tidy

* headless

* remove get-port dependency

* fix tests/proxied/admin.test.ts

* fix tests

* Allow unsecure oauth providers through configuration

* transpile "lande" during ozone tests

* Cache Puppeteer browser binaries

* Use puppeteer cache during all workflow steps

* remove use of set-output

* use get-port in xrpc-server tests

* Renamed to allowHttp

* tidy

* tidy
2024-10-18 15:40:05 +02:00
Matthieu Sieben
fabc8a9381
Update typescript to version 5.6.2 (#2863) 2024-10-11 14:05:53 +02:00
github-actions[bot]
6593fdc3f4
Version packages (#2812)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-09-27 13:04:34 -05:00
Matthieu Sieben
ed325d863c
OAuth spec alignment (#2755)
* Improve reporting of metadata validation error
* Properly validate client metadata scope
* Allow loopback clients to define their scopes through client_id query parameters
* Require definition of "scope" in client metadata document
* Restrict the value used as code_challenge_methods_supported
* Remove `plain` from `code_challenge_methods_supported`
* Prevent use of empty string in unsupported oidc request parameters
* Centralize parsing of client metadata error
* Enfore code_challenge_method=S256 request parameter
* Improve error description in case of invalid loopback client_id
* Enfore single scope query param in loopback clients
* Disable request params scopes defaulting to client metadata scope
* Centralize loopback client validation logic
* add assertion utils for client ids
* Improve invalid client_id error messages from BrowserOAuthClient.from()
* Use scope from client metadata as default value
* Improve client side validation of client metadata
* Allow fetching of source maps files from browser debugger
* Use the clientId to configure the OAuth client
* Allow native clients to use https: redirect uris
* Explicitely forbid MTLS client auth method
* Improve error feedback in case of invalid client_id domain name
* Remove un-spec'ed restrictions on redirect_uris based on the client_uri
* Do not strip query string from URL after oauth redirect in fragment mode
* Add missing "expires_in" property to OAuthParResponse type definition
* Allow non canonical urls to be used as client ID
* Allow client metadata to contain other return type values than "code"
* Properly validate request_uri request parameter
* Improve parsing and validation of client_id's
* Return "invalid_client" on invalid client credentials
* improved error management & reporting
* performance improvement
* Allow loopback client ids to omit the (empty) path parameter

Co-authored-by: devin ivy <devinivy@gmail.com>
2024-09-26 14:07:08 +02:00
github-actions[bot]
85c85350d1
Version packages (#2791)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-09-11 18:30:47 -05:00
github-actions[bot]
a1d8c77edd
Version packages (#2738)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-27 14:03:39 -04:00
Matthieu Sieben
dee817b6e0
OAuth: Add authorization scopes & remove OpenID compatibility (#2734)
* Re-use code definition of oauthResponseTypeSchema

* Generate proper invalid_authorization_details

* Remove OpenID compatibility

* tidy

* properly verify presence of jti claim in client assertion

* Remove non-standard "sub" from OAuthTokenResponse

* Remove nonce from authorization request

* tidy

* Enforce uniqueness of code_challenge

* remove unused "atproto" scope

* Improve reporting of validation errors

* Allow empty set of scopes

* Do not remove scopes not advertised in the AS's "scopes_supported" when building the authorization request.

* Prevent empty scope string

* Remove invalid check from token response

* remove un-necessary session refresh

* Validate scopes characters according to OAuth 2.1 spec

* Mandate the use of "atproto" scope

* Disable ability to list app passwords when using an app password

* Use locally defined authPassthru in com.atproto.admin.* handlers

* provide proper production handle resolver in example

* properly compote login method

* feat(oauth-provider): always rotate session cookie on sign-in

* feat(oauth-provider): do not require consent from first party apps

* update request parameter's prompt before other param validation checks

* feat(oauth-provider): rework display of client name

* feat(oauth-client-browser:example): add token info introspection

* feat(oauth-client-browser:example): allow defining scope globally

* Display requested scopes during the auth flow

* Add, and verify, a "typ" header to access and refresh tokens

* Ignore case when checking for dpop auth scheme

* Add "jwtAlg" option to verifySignature() function

* Verify service JWT header values. Add iat claim to service JWT

* Add support for "transition:generic" and "transition:chat.bsky" oauth scopes in PDS

* oauth-client-browser(example): add scope request

* Add missing "atproto" scope

* Allow missing 'typ' claim in service auth jwt

* Improved 401 feedback

Co-authored-by: devin ivy <devinivy@gmail.com>

* Properly parse scopes upon verification

Co-authored-by: devin ivy <devinivy@gmail.com>

* Rename "atp" to "credential" auth in oauth-client-browser example

* add key to iteration items

* Make CORS protection stronger

* Allow OAuthProvider to define its own CORS policies

* Revert "Allow missing 'typ' claim in service auth jwt"

This reverts commit 15c6b9e2197064eb5de61a96de6497060edb824e.

* Revert "Verify service JWT header values. Add iat claim to service JWT"

This reverts commit 08df8df322a3f4b631c4a63a61d55b2c84c60c11.

* Revert "Add "jwtAlg" option to verifySignature() function"

This reverts commit d0f77354e6904678e7f5d76bb026f07537443ba9.

* Revert "Add, and verify, a "typ" header to access and refresh tokens"

This reverts commit 3e21be9e4b5875caa5e862c11f2196786fb2366d.

* pds: implement protected service auth methods

* Prevent app password management using sessions initiated from an app password.

* Alphabetically sort PROTECTED_METHODS

* Revert changes to app password management permissions

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2024-08-27 13:43:29 -04:00
Matthieu Sieben
d9ffa3c460
Instantiate XrpcClient from an OAuthAgent (#2714)
* Improve transformation of fetchHandler errors into XrpcError

* Add ability to instantiate XrpcClient from FetchHandlerObject type

* Remove un-necessary dev dependency

* Allow oauthAgent to be used in order to instantiate XrpcClient

* fix lock file

* Move OAuthAtpAgent  to api package

* correct doc

* docs(oauth-client): improve example

* fix example code

* Rename OAuthAgent into OAuthSession

* Allow instantiating Agent and XrpcClient with OAuthSession

* Fix changesets

* codegen

* tidy

* tidy

* tidy

* Update .changeset/chilled-jokes-relax.md

Co-authored-by: surfdude29 <149612116+surfdude29@users.noreply.github.com>

* Update packages/oauth/oauth-client/README.md

Co-authored-by: surfdude29 <149612116+surfdude29@users.noreply.github.com>

* Update packages/api/OAUTH.md

Co-authored-by: surfdude29 <149612116+surfdude29@users.noreply.github.com>

* Update .changeset/old-mice-give.md

Co-authored-by: surfdude29 <149612116+surfdude29@users.noreply.github.com>

* Update packages/api/OAUTH.md

* Update packages/api/README.md

* Update packages/api/README.md

* Update .changeset/polite-toys-happen.md

---------

Co-authored-by: surfdude29 <149612116+surfdude29@users.noreply.github.com>
Co-authored-by: devin ivy <devinivy@gmail.com>
2024-08-22 17:59:22 -04:00
github-actions[bot]
f70bd6a9dc
Version packages (#2736)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-22 09:54:41 -07:00
github-actions[bot]
1572058887
Version packages (#2732)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-21 14:42:01 -05:00
github-actions[bot]
5e2f2617ab
Version packages (#2726)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-20 11:41:33 -04:00