Serve full atproto-required AS metadata field set · str4d.xyz/atproto-devtool@be927c8

CLI app for developers prototyping atproto functionality

Serve full atproto-required AS metadata field set

The fake AS's `/.well-known/oauth-authorization-server` document
was an RFC 8414–minimal subset, but the atproto OAuth profile
pins a much larger field set as mandatory. Conformant client
libraries validate the full set and reject any document missing
fields such as `client_id_metadata_document_supported`,
`authorization_response_iss_parameter_supported`, or
`subject_types_supported` — which surfaced as a generic
"Failed to resolve OAuth server metadata for issuer" error in
public clients pointed at the fake AS.

The served document now declares every field the atproto OAuth
spec requires, per
<https://atproto.com/specs/oauth#authorization-server>.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Jack Grigg 1 week ago be927c8b 7873ad94

+20 -3

1 changed file

expand all

src

commands

test

oauth

client

fake_as

identity.rs

+20 -3

src/commands/test/oauth/client/fake_as/identity.rs

··· 84 84 "resource": base_no_slash, 85 85 "authorization_servers": [base_no_slash], 86 86 }); 87 + // The atproto OAuth profile pins a number of RFC 8414 fields 88 + // beyond what's strictly needed for a vanilla OAuth flow. 89 + // Atproto-conformant client libraries validate the AS metadata 90 + // document against this full set and reject any document that 91 + // omits fields like `client_id_metadata_document_supported` or 92 + // `authorization_response_iss_parameter_supported`. See 93 + // <https://atproto.com/specs/oauth#authorization-server>. 87 94 let as_metadata = json!({ 88 95 "issuer": base_no_slash, 89 96 "authorization_endpoint": authorize_endpoint, 90 97 "token_endpoint": token_endpoint, 91 98 "pushed_authorization_request_endpoint": par_endpoint, 92 99 "scopes_supported": ["atproto"], 100 + "subject_types_supported": ["public"], 93 101 "response_types_supported": ["code"], 94 - "response_modes_supported": ["query"], 102 + "response_modes_supported": ["query", "fragment"], 95 103 "grant_types_supported": ["authorization_code", "refresh_token"], 104 + "code_challenge_methods_supported": ["S256"], 96 105 "token_endpoint_auth_methods_supported": ["none", "private_key_jwt"], 97 106 "token_endpoint_auth_signing_alg_values_supported": ["ES256"], 98 - "code_challenge_methods_supported": ["S256"], 107 + "request_object_signing_alg_values_supported": ["ES256"], 108 + "display_values_supported": ["page"], 109 + "request_object_encryption_alg_values_supported": [], 110 + "request_object_encryption_enc_values_supported": [], 111 + "request_parameter_supported": true, 112 + "request_uri_parameter_supported": true, 113 + "require_request_uri_registration": true, 114 + "require_pushed_authorization_requests": true, 99 115 "dpop_signing_alg_values_supported": ["ES256"], 100 - "require_pushed_authorization_requests": true, 116 + "authorization_response_iss_parameter_supported": true, 117 + "client_id_metadata_document_supported": true, 101 118 }); 102 119 103 120 Self {

Configure Feed

Configure Feed