+2 -2

atproto/auth/oauth/oauth.go

reviewed

··· 163 163 ResponseTypes: []string{"code"}, 164 164 RedirectURIs: []string{config.CallbackURL}, 165 165 DpopBoundAccessTokens: true, 166 166 - TokenEndpointAuthMethod: strPtr("none"), 166 166 + TokenEndpointAuthMethod: "none", 167 167 } 168 168 if config.IsConfidential() { 169 169 - m.TokenEndpointAuthMethod = strPtr("private_key_jwt") 169 169 + m.TokenEndpointAuthMethod = "private_key_jwt" 170 170 // NOTE: the key type is always ES256 171 171 m.TokenEndpointAuthSigningAlg = strPtr("ES256") 172 172

+4 -4

atproto/auth/oauth/types.go

reviewed

··· 48 48 // At least one redirect URI is required. 49 49 RedirectURIs []string `json:"redirect_uris"` 50 50 51 51 - // confidential clients must set this to `private_key_jwt`; public must be `none` 52 52 - // TODO: should this be string not *string? 53 53 - TokenEndpointAuthMethod *string `json:"token_endpoint_auth_method,omitempty"` 51 51 + // Confidential clients must set this to `private_key_jwt`; public must be `none`. 52 52 + // In some sense this field is "optional" (including in atproto OAuth specs), but it is effectively required, because the default value is invalid for atproto OAuth. 53 53 + TokenEndpointAuthMethod string `json:"token_endpoint_auth_method"` 54 54 55 55 // `none` is never allowed here. The current recommended and most-supported algorithm is ES256, but this may evolve over time. 56 56 TokenEndpointAuthSigningAlg *string `json:"token_endpoint_auth_signing_alg,omitempty"` ··· 82 82 83 83 // returns 'true' if client metadata indicates that this is a confidential client 84 84 func (m *ClientMetadata) IsConfidential() bool { 85 85 - if (m.JWKSUri != nil || (m.JWKS != nil && len(m.JWKS.Keys) > 0)) && (m.TokenEndpointAuthMethod != nil && *m.TokenEndpointAuthMethod == "private_key_jwt") { 85 85 + if (m.JWKSUri != nil || (m.JWKS != nil && len(m.JWKS.Keys) > 0)) && m.TokenEndpointAuthMethod == "private_key_jwt" { 86 86 return true 87 87 } 88 88