OAuth spec alignment (bluesky-social#2755)

* Improve reporting of metadata validation error * Properly validate client metadata scope * Allow loopback clients to define their scopes through client_id query parameters * Require definition of "scope" in client metadata document * Restrict the value used as code_challenge_methods_supported * Remove `plain` from `code_challenge_methods_supported` * Prevent use of empty string in unsupported oidc request parameters * Centralize parsing of client metadata error * Enfore code_challenge_method=S256 request parameter * Improve error description in case of invalid loopback client_id * Enfore single scope query param in loopback clients * Disable request params scopes defaulting to client metadata scope * Centralize loopback client validation logic * add assertion utils for client ids * Improve invalid client_id error messages from BrowserOAuthClient.from() * Use scope from client metadata as default value * Improve client side validation of client metadata * Allow fetching of source maps files from browser debugger * Use the clientId to configure the OAuth client * Allow native clients to use https: redirect uris * Explicitely forbid MTLS client auth method * Improve error feedback in case of invalid client_id domain name * Remove un-spec'ed restrictions on redirect_uris based on the client_uri * Do not strip query string from URL after oauth redirect in fragment mode * Add missing "expires_in" property to OAuthParResponse type definition * Allow non canonical urls to be used as client ID * Allow client metadata to contain other return type values than "code" * Properly validate request_uri request parameter * Improve parsing and validation of client_id's * Return "invalid_client" on invalid client credentials * improved error management & reporting * performance improvement * Allow loopback client ids to omit the (empty) path parameter Co-authored-by: devin ivy <[email protected]>
rcombs · Sep 26, 2024 · ed325d8 · ed325d8
1 parent 87a1f24
commit ed325d8
Show file tree

Hide file tree

Showing 102 changed files with 1,768 additions and 1,176 deletions.
diff --git a/.changeset/big-rules-decide.md b/.changeset/big-rules-decide.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Disable request params scopes defaulting to client metadata scopes. Requires that client always provide a "scope" parameter when initiating an oauth flow.
diff --git a/.changeset/calm-planets-rescue.md b/.changeset/calm-planets-rescue.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Properly validate client metadata scope
diff --git a/.changeset/chatty-adults-sparkle.md b/.changeset/chatty-adults-sparkle.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Allow ClientID query params to end with a slash "/" char
diff --git a/.changeset/curly-maps-crash.md b/.changeset/curly-maps-crash.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Remove "plain" from code_challenge_methods_supported
diff --git a/.changeset/curly-tomatoes-listen.md b/.changeset/curly-tomatoes-listen.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-client-browser": patch
+---
+
+Improve invalid client_id error messages from BrowserOAuthClient.from()
diff --git a/.changeset/cyan-pandas-judge.md b/.changeset/cyan-pandas-judge.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Require definition of "scope" in client metadata document
diff --git a/.changeset/fair-hornets-raise.md b/.changeset/fair-hornets-raise.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Improve reporting of metadata validation error
diff --git a/.changeset/famous-items-build.md b/.changeset/famous-items-build.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Expose OAuthScope
diff --git a/.changeset/four-crews-wash.md b/.changeset/four-crews-wash.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-client": patch
+---
+
+Improve client side validation of client metadata
diff --git a/.changeset/friendly-suits-lay.md b/.changeset/friendly-suits-lay.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-client-browser": patch
+---
+
+Do not strip query string from URL after oauth redirect in fragment mode
diff --git a/.changeset/giant-ladybugs-deliver.md b/.changeset/giant-ladybugs-deliver.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+add assertion utils for client ids
diff --git a/.changeset/gold-taxis-fail.md b/.changeset/gold-taxis-fail.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Properly validate request_uri request parameter
diff --git a/.changeset/gorgeous-hounds-rule.md b/.changeset/gorgeous-hounds-rule.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Allow loopback client ids to omit the (empty) path parameter
diff --git a/.changeset/great-news-shout.md b/.changeset/great-news-shout.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Enforce ClientID URL path to be normalized
diff --git a/.changeset/late-wolves-itch.md b/.changeset/late-wolves-itch.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Enforce code_challenge_method=S256 request parameter
diff --git a/.changeset/mighty-keys-grow.md b/.changeset/mighty-keys-grow.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Rename OAuthAuthenticationRequestParameters to OAuthAuthorizationRequestParameters
diff --git a/.changeset/odd-moons-collect.md b/.changeset/odd-moons-collect.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-client": patch
+---
+
+Use scope from client metadata as default value
diff --git a/.changeset/purple-penguins-kiss.md b/.changeset/purple-penguins-kiss.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Explicitely forbid MTLS client auth method
diff --git a/.changeset/quick-eels-listen.md b/.changeset/quick-eels-listen.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Restrict the value used as code_challenge_methods_supported
diff --git a/.changeset/quick-singers-pretend.md b/.changeset/quick-singers-pretend.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Return "invalid_client" on invalid client credentials
diff --git a/.changeset/rude-apes-lay.md b/.changeset/rude-apes-lay.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Prevent use of empty string in unsupported oidc request parameters
diff --git a/.changeset/shy-balloons-watch.md b/.changeset/shy-balloons-watch.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Add missing "expires_in" property to OAuthParResponse type definition
diff --git a/.changeset/silly-sloths-mate.md b/.changeset/silly-sloths-mate.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Allow fetching of source maps files from browser debugger
diff --git a/.changeset/smart-houses-battle.md b/.changeset/smart-houses-battle.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Allow loopback clients to define their scopes through the "scope" client_id query parameter.
diff --git a/.changeset/sweet-dodos-talk.md b/.changeset/sweet-dodos-talk.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-types": patch
+---
+
+Improve error description in case of invalid loopback client_id
diff --git a/.changeset/tasty-singers-matter.md b/.changeset/tasty-singers-matter.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Allow native clients to use https: redirect uris
diff --git a/.changeset/three-elephants-call.md b/.changeset/three-elephants-call.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Allow client metadata to contain other values than "code"
diff --git a/.changeset/yellow-ants-vanish.md b/.changeset/yellow-ants-vanish.md
@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-client-browser": patch
+---
+
+Relax type restriction on clientId option
diff --git a/packages/oauth/oauth-client-browser/example/src/app.tsx b/packages/oauth/oauth-client-browser/example/src/app.tsx
@@ -3,7 +3,7 @@ import { useAuthContext } from './auth/auth-provider'
 import { OAuthSession } from '@atproto/oauth-client'
 
 function App() {
-  const { pdsAgent, signOut } = useAuthContext()
+  const { pdsAgent, signOut, refresh } = useAuthContext()
 
   const hasTokenInfo = pdsAgent.sessionManager instanceof OAuthSession
 
@@ -69,6 +69,8 @@ function App() {
         </pre>
       </code>
 
+      <button onClick={refresh}>Refresh tokens</button>
+      <br />
       <button onClick={signOut}>Sign-out</button>
     </div>
   )

diff --git a/packages/oauth/oauth-client-browser/example/src/auth/auth-provider.tsx b/packages/oauth/oauth-client-browser/example/src/auth/auth-provider.tsx
@@ -10,6 +10,7 @@ import { useOAuth, UseOAuthOptions } from './oauth/use-oauth'
 export type AuthContext = {
   pdsAgent: Agent
   signOut: () => void
+  refresh: () => void
 }
 
 const AuthContext = createContext<AuthContext | null>(null)
@@ -27,23 +28,42 @@ export const AuthProvider = ({
     agent: oauthAgent,
     signIn: oauthSignIn,
     signOut: oauthSignOut,
+    refresh: oauthRefresh,
   } = useOAuth(options)
 
   const {
     agent: credentialAgent,
     signIn: credentialSignIn,
     signOut: credentialSignOut,
+    refresh: credentialRefresh,
   } = useCredentialAuth()
 
-  const value = useMemo<AuthContext | null>(
-    () =>
-      oauthAgent
-        ? { pdsAgent: oauthAgent, signOut: oauthSignOut }
-        : credentialAgent
-          ? { pdsAgent: credentialAgent, signOut: credentialSignOut }
-          : null,
-    [oauthAgent, oauthSignOut, credentialAgent, credentialSignOut],
-  )
+  const value = useMemo<AuthContext | null>(() => {
+    if (oauthAgent) {
+      return {
+        pdsAgent: oauthAgent,
+        signOut: oauthSignOut,
+        refresh: oauthRefresh,
+      }
+    }
+
+    if (credentialAgent) {
+      return {
+        pdsAgent: credentialAgent,
+        signOut: credentialSignOut,
+        refresh: credentialRefresh,
+      }
+    }
+
+    return null
+  }, [
+    oauthAgent,
+    oauthSignOut,
+    credentialAgent,
+    credentialSignOut,
+    oauthRefresh,
+    credentialRefresh,
+  ])
 
   if (isLoginPopup) {
     return <div>This window can be closed</div>

diff --git a/packages/oauth/oauth-client-browser/example/src/auth/credential/use-credential-auth.ts b/packages/oauth/oauth-client-browser/example/src/auth/credential/use-credential-auth.ts
@@ -48,7 +48,12 @@ export function useCredentialAuth() {
   )
 
   return useMemo(
-    () => ({ agent, signIn, signOut: () => agent?.logout() }),
+    () => ({
+      agent,
+      signIn,
+      signOut: () => agent?.logout(),
+      refresh: () => agent?.sessionManager.refreshSession(),
+    }),
     [signIn, agent],
   )
 }