* Add prompt_values_supported to Authorization Server Metadata
* Expose prompt_values_supported in Authorization Server Metadata
* Support selecting view in oauth-provider-ui based on prompt parameter
* Support initiating user registration via prompt=create
* Add support to OAuth Client Browser Example for prompt=create
* Add test coverage for prompt=create
* Fix authorization error type name
* Refactor authorization error handling: replace AccessDeniedError with AuthorizationError and improve error reporting
* Ensure that the credentials used during a refresh correspond to those used to create the OAuth tokens.
* tidy
* Bind the OAuth session to the kid that was used to authenticate the client (private_key_jwt)
* Store the whole authentication method in the client session store rather than the kid only
* tidy
* Improve error reporting in case an invalid `token_endpoint_auth_method` is used in the client metadata document.
* tidy
* tidy
* Improve JAR checks
* tidy
* changeset
* tidy
* Remove schema's `.optional()` modifier when a `.default()` is defined
* tidy
* verify client auth during code exchange
* tidy
* Minor naming improvement
* tidy
* Update .changeset/quiet-pans-fix.md
Co-authored-by: devin ivy <devinivy@gmail.com>
* Update packages/oauth/oauth-client/src/oauth-client-auth.ts
* Use `private_key_jwt` instead of incorrect `client_secret_jwt` as authentication method for confidential clients
* style
* code split
* dead code removal
* Represent missing client auth with a `null` instead of "none" when storing request data.
* Allow storing `null` in authorization_request's `clientAuth` json column
* document
* tidy
* Remove non-standard behavior that allowed client to authenticate through JAR
* Improved error messages
* Parse JSON encoded Authorization Request Parameters
* Use `application/x-www-form-urlencoded` content instead of JSON for OAuth requests
Fixes: #3723
* tidy
* tidy
* tidy
* tidy
* code style
* remove un-necessary checks
* tidy
* Pre-process number too
* improved type checking
* add missing exports
* fix merge conflict
* tidy
* Remove invalid default for `code_challenge_method` authorization request parameter
* tidy
* Delete inaccurate changeset
* PR comment
* tidy
* Update OAuth client credentials factory to return headers and payload separately.
* tidy
* Renamed `clientAuthCheck` to `validateClientAuth`
* Validate presence of DPoP proofs sooner when processing token requests.
Fixes: #3859
* Protect against concurrent use of request code
* tidy
* tidy
* Update packages/oauth/oauth-provider/src/client/client.ts
Co-authored-by: devin ivy <devinivy@gmail.com>
* Review comments
* Add missing `exp` claim in client attestation JWT
* fixup! Review comments
* Review comments
* Refactor: explicit optionality of unsigned JAR issuer & audience
* Use client attestation's `exp` claim to determine the life time of JWT's `jti` nonce.
* Fix PDS: consumeRequestCode should delete request data
* tidy
* tidy
* Unused code removal
* Restore "Native clients must authenticate using "none" method" check
* tidy
* tidy
* cleanup
* comment
* Allow missing DPoP header during PAR request if `dpop_jkt` is provided
* tidy
---------
Co-authored-by: devin ivy <devinivy@gmail.com>
* Allow `:` chars in url path parts
* Allow customizing contrast and hue colors
* Allow customizing contrast and hue colors
* Use white as primary contrast color
* Fix buttons alignment and labels in "My Devices" section
* Add a `<title>` tag to all pages
* Properly display the "lastSeenAt" date
* Improve display of clients & devices
* tidy
* code split
* Add definition for `ConventionalOAuthClientId`
* Remove hard coded `client_name` from loopback client metadata
* Code factorization
* Fix `<title>` of branding page
* Adds "password reset" during OAuth flows
* Adds "Sign up" during OAuth flows
* Adds support for multiple languages in the OAuth flow
* Adds "fr" translation for the OAuth flow
Co-authored-by: devin ivy <devinivy@gmail.com>
Co-authored-by: Eric Bailey <git@esb.lol>
* Add linting rule to sort imports
* remove spacing between import groups
* changeset
* changeset
* prettier config fine tuning
* forbid use of deprecated imports
* tidy
* Improve message of OAuthResolverError in case of metadata validation error
* Use named export from zod
* docs
* Enforce use of http and https url where applicable
* Verify authorization_endpoint URL protocol
* fix pds tests for new oauth resource metadata check
* Allow non-https urls as resource metadata url
* Strong validation or redirect_uri
* Ensure that client-id is a web url
* explicit use of "url" schema as potentially dangerous
* changeset
* tidy
* simplify type
* prevent loopback hostname for https: redirect uris
* Forbid use of non https internet uris
* allow "localhost" for web uris
* tidy
* tidy
* tidy
---------
Co-authored-by: Devin Ivy <devinivy@gmail.com>
* Improve error message when using invalid client_id during code exchange
* Extract SPA example OAuth client in own package
* wip
* remove dependency on get-port
* Properly configure jest to only transpile "get-port" from node_modules
https://jestjs.io/docs/configuration#transformignorepatterns-arraystring
* Use dynamically assigned port number during tests
* use puppeteer to run tests
* remove login input "id" attribute
* code style
* add missing declaration
* tidy
* headless
* remove get-port dependency
* fix tests/proxied/admin.test.ts
* fix tests
* Allow unsecure oauth providers through configuration
* transpile "lande" during ozone tests
* Cache Puppeteer browser binaries
* Use puppeteer cache during all workflow steps
* remove use of set-output
* use get-port in xrpc-server tests
* Renamed to allowHttp
* tidy
* tidy
* Improve reporting of metadata validation error
* Properly validate client metadata scope
* Allow loopback clients to define their scopes through client_id query parameters
* Require definition of "scope" in client metadata document
* Restrict the value used as code_challenge_methods_supported
* Remove `plain` from `code_challenge_methods_supported`
* Prevent use of empty string in unsupported oidc request parameters
* Centralize parsing of client metadata error
* Enfore code_challenge_method=S256 request parameter
* Improve error description in case of invalid loopback client_id
* Enfore single scope query param in loopback clients
* Disable request params scopes defaulting to client metadata scope
* Centralize loopback client validation logic
* add assertion utils for client ids
* Improve invalid client_id error messages from BrowserOAuthClient.from()
* Use scope from client metadata as default value
* Improve client side validation of client metadata
* Allow fetching of source maps files from browser debugger
* Use the clientId to configure the OAuth client
* Allow native clients to use https: redirect uris
* Explicitely forbid MTLS client auth method
* Improve error feedback in case of invalid client_id domain name
* Remove un-spec'ed restrictions on redirect_uris based on the client_uri
* Do not strip query string from URL after oauth redirect in fragment mode
* Add missing "expires_in" property to OAuthParResponse type definition
* Allow non canonical urls to be used as client ID
* Allow client metadata to contain other return type values than "code"
* Properly validate request_uri request parameter
* Improve parsing and validation of client_id's
* Return "invalid_client" on invalid client credentials
* improved error management & reporting
* performance improvement
* Allow loopback client ids to omit the (empty) path parameter
Co-authored-by: devin ivy <devinivy@gmail.com>
* Re-use code definition of oauthResponseTypeSchema
* Generate proper invalid_authorization_details
* Remove OpenID compatibility
* tidy
* properly verify presence of jti claim in client assertion
* Remove non-standard "sub" from OAuthTokenResponse
* Remove nonce from authorization request
* tidy
* Enforce uniqueness of code_challenge
* remove unused "atproto" scope
* Improve reporting of validation errors
* Allow empty set of scopes
* Do not remove scopes not advertised in the AS's "scopes_supported" when building the authorization request.
* Prevent empty scope string
* Remove invalid check from token response
* remove un-necessary session refresh
* Validate scopes characters according to OAuth 2.1 spec
* Mandate the use of "atproto" scope
* Disable ability to list app passwords when using an app password
* Use locally defined authPassthru in com.atproto.admin.* handlers
* provide proper production handle resolver in example
* properly compote login method
* feat(oauth-provider): always rotate session cookie on sign-in
* feat(oauth-provider): do not require consent from first party apps
* update request parameter's prompt before other param validation checks
* feat(oauth-provider): rework display of client name
* feat(oauth-client-browser:example): add token info introspection
* feat(oauth-client-browser:example): allow defining scope globally
* Display requested scopes during the auth flow
* Add, and verify, a "typ" header to access and refresh tokens
* Ignore case when checking for dpop auth scheme
* Add "jwtAlg" option to verifySignature() function
* Verify service JWT header values. Add iat claim to service JWT
* Add support for "transition:generic" and "transition:chat.bsky" oauth scopes in PDS
* oauth-client-browser(example): add scope request
* Add missing "atproto" scope
* Allow missing 'typ' claim in service auth jwt
* Improved 401 feedback
Co-authored-by: devin ivy <devinivy@gmail.com>
* Properly parse scopes upon verification
Co-authored-by: devin ivy <devinivy@gmail.com>
* Rename "atp" to "credential" auth in oauth-client-browser example
* add key to iteration items
* Make CORS protection stronger
* Allow OAuthProvider to define its own CORS policies
* Revert "Allow missing 'typ' claim in service auth jwt"
This reverts commit 15c6b9e2197064eb5de61a96de6497060edb824e.
* Revert "Verify service JWT header values. Add iat claim to service JWT"
This reverts commit 08df8df322a3f4b631c4a63a61d55b2c84c60c11.
* Revert "Add "jwtAlg" option to verifySignature() function"
This reverts commit d0f77354e6904678e7f5d76bb026f07537443ba9.
* Revert "Add, and verify, a "typ" header to access and refresh tokens"
This reverts commit 3e21be9e4b5875caa5e862c11f2196786fb2366d.
* pds: implement protected service auth methods
* Prevent app password management using sessions initiated from an app password.
* Alphabetically sort PROTECTED_METHODS
* Revert changes to app password management permissions
* tidy
---------
Co-authored-by: devin ivy <devinivy@gmail.com>