this repo has no description
only P-256 private keys for OAuth
+24
-24
+3
-1
atproto/auth/oauth/cmd/oauth-web-demo/main.go
+3
-1
atproto/auth/oauth/cmd/oauth-web-demo/main.go
···
108
108
if err != nil {
109
109
return err
110
110
}
111
-
config.AddClientSecret(priv, cctx.String("client-secret-key-id"))
111
+
if err := config.AddClientSecret(priv, cctx.String("client-secret-key-id")); err != nil {
112
+
return err
113
+
}
112
114
slog.Info("configuring confidential OAuth client")
113
115
}
114
116
+3
-1
atproto/auth/oauth/doc.go
+3
-1
atproto/auth/oauth/doc.go
+5
-20
atproto/auth/oauth/jwt_signing.go
+5
-20
atproto/auth/oauth/jwt_signing.go
···
8
8
"github.com/golang-jwt/jwt/v5"
9
9
)
10
10
11
-
// TODO: this is just copied from indigo:atproto/auth/jwt_signing.go
12
-
// Need to decide whether to make this a public interface or what... a bit worried about import loops. Maybe part of crypto package?
11
+
// NOTE: this file is copied from indigo:atproto/auth/jwt_signing.go, with the K-256 (ES256) support removed
13
12
14
13
var (
15
-
signingMethodES256K *signingMethodAtproto
16
-
signingMethodES256 *signingMethodAtproto
17
-
supportedAlgs []string
14
+
signingMethodES256 *signingMethodAtproto
15
+
supportedAlgs []string
18
16
)
19
17
20
18
// Implementation of jwt.SigningMethod for the `atproto/crypto` types.
···
31
29
// tells JWT library to serialize 'aud' as regular string, not array of strings (when signing)
32
30
jwt.MarshalSingleStringAsArray = false
33
31
34
-
signingMethodES256K = &signingMethodAtproto{
35
-
alg: "ES256K",
36
-
hash: crypto.SHA256,
37
-
toOutSig: toES256K,
38
-
sigLen: 64,
39
-
}
40
-
jwt.RegisterSigningMethod(signingMethodES256K.Alg(), func() jwt.SigningMethod {
41
-
return signingMethodES256K
42
-
})
43
32
signingMethodES256 = &signingMethodAtproto{
44
33
alg: "ES256",
45
34
hash: crypto.SHA256,
···
49
38
jwt.RegisterSigningMethod(signingMethodES256.Alg(), func() jwt.SigningMethod {
50
39
return signingMethodES256
51
40
})
52
-
supportedAlgs = []string{signingMethodES256K.Alg(), signingMethodES256.Alg()}
41
+
supportedAlgs = []string{signingMethodES256.Alg()}
53
42
}
54
43
55
44
func (sm *signingMethodAtproto) Verify(signingString string, sig []byte, key interface{}) error {
···
83
72
return sm.alg
84
73
}
85
74
86
-
func toES256K(sig []byte) []byte {
87
-
return sig[:64]
88
-
}
89
-
90
75
func toES256(sig []byte) []byte {
91
76
return sig[:64]
92
77
}
···
96
81
case *atcrypto.PrivateKeyP256:
97
82
return signingMethodES256, nil
98
83
case *atcrypto.PrivateKeyK256:
99
-
return signingMethodES256K, nil
84
+
return nil, fmt.Errorf("only P-256 (ES256) private keys supported for atproto OAuth")
100
85
}
101
86
return nil, fmt.Errorf("unknown key type: %T", key)
102
87
}
+13
-2
atproto/auth/oauth/oauth.go
+13
-2
atproto/auth/oauth/oauth.go
···
87
87
return config.PrivateKey != nil && config.KeyID != nil
88
88
}
89
89
90
-
func (config *ClientConfig) AddClientSecret(priv crypto.PrivateKey, keyID string) {
90
+
func (config *ClientConfig) AddClientSecret(priv crypto.PrivateKey, keyID string) error {
91
+
switch priv.(type) {
92
+
case *crypto.PrivateKeyP256:
93
+
// pass
94
+
case *crypto.PrivateKeyK256:
95
+
return fmt.Errorf("only P-256 (ES256) private keys supported for atproto OAuth")
96
+
default:
97
+
return fmt.Errorf("unknown private key type: %T", priv)
98
+
}
91
99
config.PrivateKey = priv
92
100
config.KeyID = &keyID
101
+
return nil
93
102
}
94
103
95
104
// Returns a "JWKS" representation of public keys for the client. This can be returned as JSON, as part of client metadata.
···
142
151
}
143
152
if config.IsConfidential() {
144
153
m.TokenEndpointAuthMethod = strPtr("private_key_jwt")
145
-
m.TokenEndpointAuthSigningAlg = strPtr("ES256") // XXX
154
+
// NOTE: the key type is always ES256
155
+
m.TokenEndpointAuthSigningAlg = strPtr("ES256")
156
+
146
157
// TODO: need to include 'use' or 'key_ops' for JWKS in the client metadata doc?
147
158
//jwks := config.PublicJWKS()
148
159
//m.JWKS = &jwks