Commit Graph

55 Commits

Author SHA1 Message Date
github-actions[bot] 23a13d7dde Version packages (#4621)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-02-06 19:09:51 +01:00
Matthieu Sieben fdbbff8543 Fix validation of oauth /authorize params (#4620) 2026-02-06 19:00:34 +01:00
Matthieu Sieben 78fee144ff Throw more detailed error upon CSRF login issue (#4606)
* Throw more detailed error upon CSRF login issue

* Add cookie support detection mechanism

* lint

* tidy

* Update packages/oauth/oauth-provider-ui/cookie-error-page.html

Co-authored-by: devin ivy <devinivy@gmail.com>

* review comments

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2026-02-06 14:20:41 +01:00
Matthieu Sieben 8a725a9d69 Change workspace version selector from workspace:* to workspace:^ 2026-01-28 16:42:44 +01:00
github-actions[bot] 143a5f2251 Version packages (#4578)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-01-28 16:31:59 +01:00
github-actions[bot] 0093727fc4 Version packages (#4505)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-01-06 15:59:52 +01:00
github-actions[bot] 95bd491ecb Version packages (#4466)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-12-30 10:26:18 -06:00
Matthieu Sieben c7f5a86883 Fix redirect uri validation (#4468) 2025-12-17 19:31:49 +01:00
Matthieu Sieben 95ef3c24e8 Improve error message in case of invalid redirect uri (#4465) 2025-12-17 15:01:17 +01:00
Emelia Smith 5d8e7a6588 Support initiating user registration via OAuth flow with prompt=create (#4461)
* Add prompt_values_supported to Authorization Server Metadata

* Expose prompt_values_supported in Authorization Server Metadata

* Support selecting view in oauth-provider-ui based on prompt parameter

* Support initiating user registration via prompt=create

* Add support to OAuth Client Browser Example for prompt=create

* Add test coverage for prompt=create
2025-12-17 14:57:16 +01:00
github-actions[bot] dc08244c24 Version packages (#4386)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-12-02 11:05:55 -06:00
github-actions[bot] 4dede90ea5 Version packages (#4369)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-11-24 22:26:10 +01:00
github-actions[bot] 33435c2e83 Version packages (#4298)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-10-24 13:02:23 +02:00
Matthieu Sieben 8ff5ec4caa OAuth client validation improvements (#4289)
* OAuth client validation improvements

* Remove `isLocalHostname` export

* tidy
2025-10-24 12:53:03 +02:00
Aaron Parecki dca500186e update links to ietf docs (#4273) 2025-10-14 14:43:01 -07:00
github-actions[bot] bd469a6861 Version packages (#4247)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-10-06 19:13:28 +02:00
Matthieu Sieben e71d265dd4 Minor oauth jwk tweaks (#4256)
* Minor oauth jwk changes

* tidy
2025-10-06 15:45:05 +02:00
Matthieu Sieben 09439d7d68 OAuth client improvements (#4216)
* wip

* Various OAuth client & API improvements

* pnpm lock

* Minor typing improvements

* ci

* fix
2025-10-02 16:21:17 +02:00
github-actions[bot] d02d43c05b Version packages (#4102)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-08-13 15:22:03 +02:00
github-actions[bot] b70f62c6b9 Version packages (#3988)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-24 06:17:02 -07:00
Matthieu Sieben 3a1e010e14 OAuth: Improve error reporting (#3973)
* Fix authorization error type name

* Refactor authorization error handling: replace AccessDeniedError with AuthorizationError and improve error reporting
2025-06-23 18:30:33 +02:00
github-actions[bot] 9f9a08648b Version packages (#3975)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-19 20:43:13 +02:00
github-actions[bot] 71a0a026c1 Version packages (#3947)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-13 13:49:11 -05:00
Matthieu Sieben 349b59175e Properly validate auth during refresh (#3847)
* Ensure that the credentials used during a refresh correspond to those used to create the OAuth tokens.

* tidy

* Bind the OAuth session to the kid that was used to authenticate the client (private_key_jwt)

* Store the whole authentication method in the client session store rather than the kid only

* tidy

* Improve error reporting in case an invalid `token_endpoint_auth_method` is used in the client metadata document.

* tidy

* tidy

* Improve JAR checks

* tidy

* changeset

* tidy

* Remove schema's `.optional()` modifier when a `.default()` is defined

* tidy

* verify client auth during code exchange

* tidy

* Minor naming improvement

* tidy

* Update .changeset/quiet-pans-fix.md

Co-authored-by: devin ivy <devinivy@gmail.com>

* Update packages/oauth/oauth-client/src/oauth-client-auth.ts

* Use `private_key_jwt` instead of incorrect `client_secret_jwt` as authentication method for confidential clients

* style

* code split

* dead code removal

* Represent missing client auth with a `null` instead of "none" when storing request data.

* Allow storing `null` in authorization_request's `clientAuth` json column

* document

* tidy

* Remove non-standard behavior that allowed client to authenticate through JAR

* Improved error messages

* Parse JSON encoded Authorization Request Parameters

* Use `application/x-www-form-urlencoded` content instead of JSON for OAuth requests

Fixes: #3723

* tidy

* tidy

* tidy

* tidy

* code style

* remove un-necessary checks

* tidy

* Pre-process number too

* improved type checking

* add missing exports

* fix merge conflict

* tidy

* Remove invalid default for `code_challenge_method` authorization request parameter

* tidy

* Delete inaccurate changeset

* PR comment

* tidy

* Update OAuth client credentials factory to return headers and payload separately.

* tidy

* Renamed `clientAuthCheck` to `validateClientAuth`

* Validate presence of DPoP proofs sooner when processing token requests.

Fixes: #3859

* Protect against concurrent use of request code

* tidy

* tidy

* Update packages/oauth/oauth-provider/src/client/client.ts

Co-authored-by: devin ivy <devinivy@gmail.com>

* Review comments

* Add missing `exp` claim in client attestation JWT

* fixup! Review comments

* Review comments

* Refactor: explicit optionality of unsigned JAR issuer & audience

* Use client attestation's `exp` claim to determine the life time of JWT's `jti` nonce.

* Fix PDS: consumeRequestCode should delete request data

* tidy

* tidy

* Unused code removal

* Restore "Native clients must authenticate using "none" method" check

* tidy

* tidy

* cleanup

* comment

* Allow missing DPoP header during PAR request if `dpop_jkt` is provided

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2025-06-12 15:10:17 +02:00
github-actions[bot] 623c95d01e Version packages (#3924)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-06-05 14:59:03 +02:00
Matthieu Sieben a3b24ca77c Use Form encoded body instead of JSON for OAuth requests (#3919)
* Parse JSON encoded Authorization Request Parameters

* Use `application/x-www-form-urlencoded` content instead of JSON for OAuth requests

Fixes: #3723

* Pre-process number too

* improved type checking

* Update packages/oauth/oauth-client/src/oauth-server-agent.ts

Co-authored-by: devin ivy <devinivy@gmail.com>

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2025-06-05 14:15:42 +02:00
github-actions[bot] b36014dac5 Version packages (#3803)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-05-05 17:44:12 -03:00
Matthieu Sieben a48b093f0b Use more consistent UI regardless of profile completion (#3797)
* Expose `pdsAgent` as global constant

* Use more consistent UI regardless of profile completion

* strings

* Add `OidcUserinfo` type
2025-04-25 10:10:13 +02:00
github-actions[bot] 90e9a20d31 Version packages (#3777)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-18 11:11:53 +02:00
Matthieu Sieben 30f9b6690e OAuth Provider account page fixes (#3764)
* Allow `:` chars in url path parts

* Allow customizing contrast and hue colors

* Allow customizing contrast and hue colors

* Use white as primary contrast color

* Fix buttons alignment and labels in "My Devices" section

* Add a `<title>` tag to all pages

* Properly display the "lastSeenAt" date

* Improve display of clients & devices

* tidy

* code split

* Add definition for `ConventionalOAuthClientId`

* Remove hard coded `client_name` from loopback client metadata

* Code factorization

* Fix `<title>` of branding page
2025-04-18 11:04:34 +02:00
github-actions[bot] bf0faed1f8 Version packages (#3748)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2025-04-15 17:35:49 +02:00
Matthieu Sieben 371e04aad2 Account management page (#3659)
---------

Co-authored-by: Eric Bailey <git@esb.lol>
2025-04-15 17:15:27 +02:00
github-actions[bot] f46554bcb8 Version packages (#3591)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-03-07 11:03:00 -05:00
Matthieu Sieben 850e39843c OAuth: Reset password & Sign-up (#2945)
* Adds "password reset" during OAuth flows
* Adds "Sign up" during OAuth flows
* Adds support for multiple languages in the OAuth flow
* Adds "fr" translation for the OAuth flow

Co-authored-by: devin ivy <devinivy@gmail.com>
Co-authored-by: Eric Bailey <git@esb.lol>
2025-03-07 09:41:06 +01:00
github-actions[bot] 799dd925e9 Version packages (#3493)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-02-05 17:50:10 -06:00
Matthieu Sieben 61dc0d60e1 Add linting rule to sort imports (#3220)
* Add linting rule to sort imports

* remove spacing between import groups

* changeset

* changeset

* prettier config fine tuning

* forbid use of deprecated imports

* tidy
2025-02-05 15:06:58 +01:00
github-actions[bot] a44db38d05 Version packages (#3345)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-01-13 16:32:43 -08:00
github-actions[bot] 53fcc2fbcb Version packages (#3100)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-11-25 21:22:04 -05:00
Matthieu Sieben 5ddd51235c OAuth url scheme validation (#3066)
* Improve message of OAuthResolverError in case of metadata validation error

* Use named export from zod

* docs

* Enforce use of http and https url where applicable

* Verify authorization_endpoint URL protocol

* fix pds tests for new oauth resource metadata check

* Allow non-https urls as resource metadata url

* Strong validation or redirect_uri

* Ensure that client-id is a web url

* explicit use of "url" schema as potentially dangerous

* changeset

* tidy

* simplify type

* prevent loopback hostname for https: redirect uris

* Forbid use of non https internet uris

* allow "localhost" for web uris

* tidy

* tidy

* tidy

---------

Co-authored-by: Devin Ivy <devinivy@gmail.com>
2024-11-25 01:51:33 -05:00
github-actions[bot] c307a75db1 Version packages (#2889)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-10-24 11:32:50 -05:00
Matthieu Sieben 9d40ccbb69 Various OAuth related fixes (#2871)
* wip

* tidy

* tidy

* tidy

* Update packages/oauth/oauth-client/src/session-getter.ts

Co-authored-by: devin ivy <devinivy@gmail.com>

* fix combineSignals

* tidy

* tidy

* improve typing of atprotoScopeSchema

* stronger typings

* tidy

* ci

* Fix cors error

* downgrade ioredis dependency

* fix ioredis version

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2024-10-18 20:23:33 +02:00
Matthieu Sieben 7f26b17652 Add OAuth tests (#2874)
* Improve error message when using invalid client_id during code exchange

* Extract SPA example OAuth client in own package

* wip

* remove dependency on get-port

* Properly configure jest to only transpile "get-port" from node_modules

https://jestjs.io/docs/configuration#transformignorepatterns-arraystring

* Use dynamically assigned port number during tests

* use puppeteer to run tests

* remove login input "id" attribute

* code style

* add missing declaration

* tidy

* headless

* remove get-port dependency

* fix tests/proxied/admin.test.ts

* fix tests

* Allow unsecure oauth providers through configuration

* transpile "lande" during ozone tests

* Cache Puppeteer browser binaries

* Use puppeteer cache during all workflow steps

* remove use of set-output

* use get-port in xrpc-server tests

* Renamed to allowHttp

* tidy

* tidy
2024-10-18 15:40:05 +02:00
Matthieu Sieben fabc8a9381 Update typescript to version 5.6.2 (#2863) 2024-10-11 14:05:53 +02:00
github-actions[bot] 6593fdc3f4 Version packages (#2812)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-09-27 13:04:34 -05:00
Matthieu Sieben ed325d863c OAuth spec alignment (#2755)
* Improve reporting of metadata validation error
* Properly validate client metadata scope
* Allow loopback clients to define their scopes through client_id query parameters
* Require definition of "scope" in client metadata document
* Restrict the value used as code_challenge_methods_supported
* Remove `plain` from `code_challenge_methods_supported`
* Prevent use of empty string in unsupported oidc request parameters
* Centralize parsing of client metadata error
* Enfore code_challenge_method=S256 request parameter
* Improve error description in case of invalid loopback client_id
* Enfore single scope query param in loopback clients
* Disable request params scopes defaulting to client metadata scope
* Centralize loopback client validation logic
* add assertion utils for client ids
* Improve invalid client_id error messages from BrowserOAuthClient.from()
* Use scope from client metadata as default value
* Improve client side validation of client metadata
* Allow fetching of source maps files from browser debugger
* Use the clientId to configure the OAuth client
* Allow native clients to use https: redirect uris
* Explicitely forbid MTLS client auth method
* Improve error feedback in case of invalid client_id domain name
* Remove un-spec'ed restrictions on redirect_uris based on the client_uri
* Do not strip query string from URL after oauth redirect in fragment mode
* Add missing "expires_in" property to OAuthParResponse type definition
* Allow non canonical urls to be used as client ID
* Allow client metadata to contain other return type values than "code"
* Properly validate request_uri request parameter
* Improve parsing and validation of client_id's
* Return "invalid_client" on invalid client credentials
* improved error management & reporting
* performance improvement
* Allow loopback client ids to omit the (empty) path parameter

Co-authored-by: devin ivy <devinivy@gmail.com>
2024-09-26 14:07:08 +02:00
github-actions[bot] a1d8c77edd Version packages (#2738)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-27 14:03:39 -04:00
Matthieu Sieben dee817b6e0 OAuth: Add authorization scopes & remove OpenID compatibility (#2734)
* Re-use code definition of oauthResponseTypeSchema

* Generate proper invalid_authorization_details

* Remove OpenID compatibility

* tidy

* properly verify presence of jti claim in client assertion

* Remove non-standard "sub" from OAuthTokenResponse

* Remove nonce from authorization request

* tidy

* Enforce uniqueness of code_challenge

* remove unused "atproto" scope

* Improve reporting of validation errors

* Allow empty set of scopes

* Do not remove scopes not advertised in the AS's "scopes_supported" when building the authorization request.

* Prevent empty scope string

* Remove invalid check from token response

* remove un-necessary session refresh

* Validate scopes characters according to OAuth 2.1 spec

* Mandate the use of "atproto" scope

* Disable ability to list app passwords when using an app password

* Use locally defined authPassthru in com.atproto.admin.* handlers

* provide proper production handle resolver in example

* properly compote login method

* feat(oauth-provider): always rotate session cookie on sign-in

* feat(oauth-provider): do not require consent from first party apps

* update request parameter's prompt before other param validation checks

* feat(oauth-provider): rework display of client name

* feat(oauth-client-browser:example): add token info introspection

* feat(oauth-client-browser:example): allow defining scope globally

* Display requested scopes during the auth flow

* Add, and verify, a "typ" header to access and refresh tokens

* Ignore case when checking for dpop auth scheme

* Add "jwtAlg" option to verifySignature() function

* Verify service JWT header values. Add iat claim to service JWT

* Add support for "transition:generic" and "transition:chat.bsky" oauth scopes in PDS

* oauth-client-browser(example): add scope request

* Add missing "atproto" scope

* Allow missing 'typ' claim in service auth jwt

* Improved 401 feedback

Co-authored-by: devin ivy <devinivy@gmail.com>

* Properly parse scopes upon verification

Co-authored-by: devin ivy <devinivy@gmail.com>

* Rename "atp" to "credential" auth in oauth-client-browser example

* add key to iteration items

* Make CORS protection stronger

* Allow OAuthProvider to define its own CORS policies

* Revert "Allow missing 'typ' claim in service auth jwt"

This reverts commit 15c6b9e2197064eb5de61a96de6497060edb824e.

* Revert "Verify service JWT header values. Add iat claim to service JWT"

This reverts commit 08df8df322a3f4b631c4a63a61d55b2c84c60c11.

* Revert "Add "jwtAlg" option to verifySignature() function"

This reverts commit d0f77354e6904678e7f5d76bb026f07537443ba9.

* Revert "Add, and verify, a "typ" header to access and refresh tokens"

This reverts commit 3e21be9e4b5875caa5e862c11f2196786fb2366d.

* pds: implement protected service auth methods

* Prevent app password management using sessions initiated from an app password.

* Alphabetically sort PROTECTED_METHODS

* Revert changes to app password management permissions

* tidy

---------

Co-authored-by: devin ivy <devinivy@gmail.com>
2024-08-27 13:43:29 -04:00
github-actions[bot] 5e2f2617ab Version packages (#2726)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-20 11:41:33 -04:00
Matthieu Sieben 35a1264297 Remove non-standard *_endpoint_auth_method (#2729) 2024-08-20 17:26:19 +02:00
github-actions[bot] 3940733bf0 Version packages (#2706)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2024-08-12 16:11:19 -04:00