Thanks to visit codestin.com
Credit goes to lib.rs

Lib.rs

Command line utilities | Authentication
#oauth #json-web-key #atprotocol

bin+lib atproto-oauth

OAuth workflow implementation for AT Protocol - PKCE, DPoP, and secure authentication flows

by Nick Gerakines

21 releases (9 breaking)

Uses new Rust 2024

new 0.13.0 Sep 22, 2025
0.11.3 Sep 3, 2025
0.10.0 Jul 28, 2025

#903 in Command line utilities

Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App Codestin Search App

683 downloads per month
Used in 5 crates

MIT license

535KB
8K SLoC

atproto-oauth

OAuth 2.0 implementation for AT Protocol.

Overview

Comprehensive OAuth support with DPoP, PKCE, JWT operations, and secure storage abstractions for AT Protocol authentication.

Features

  • JWT operations: Token minting, verification, and validation with ES256/ES384/ES256K support
  • JWK management: JSON Web Key generation and conversion for P-256, P-384, and K-256 curves
  • PKCE implementation: RFC 7636 compliant Proof Key for Code Exchange for secure authorization flows
  • DPoP support: RFC 9449 compliant Demonstration of Proof-of-Possession with automatic retry middleware
  • OAuth discovery: Resource discovery and validation using RFC 8414 well-known endpoints
  • Storage abstractions: Pluggable storage with LRU cache implementation for OAuth requests
  • Base64 encoding: URL-safe base64 encoding/decoding utilities for JWT operations

CLI Tools

The following command-line tool is available when built with the clap feature:

  • atproto-oauth-service-token: OAuth service token management tool for AT Protocol authentication workflows

Usage

JWT Operations

use atproto_oauth::jwt::{mint, verify, Header, Claims, JoseClaims};
use atproto_identity::key::identify_key;

let key_data = identify_key("did:key:zQ3sh...")?;

let header = Header {
    algorithm: Some("ES256".to_string()),
    type_: Some("JWT".to_string()),
    ..Default::default()
};

let claims = Claims::new(JoseClaims {
    issuer: Some("did:plc:issuer123".to_string()),
    subject: Some("did:plc:subject456".to_string()),
    audience: Some("https://pds.example.com".to_string()),
    expiration: Some(chrono::Utc::now().timestamp() as u64 + 3600),
    ..Default::default()
});

let token = mint(&key_data, &header, &claims)?;
verify(&key_data, &token).await?;

PKCE Flow

use atproto_oauth::pkce;

let (code_verifier, code_challenge) = pkce::generate();
// Use code_challenge in authorization URL
// Later use code_verifier for token exchange

DPoP Proofs

use atproto_oauth::dpop::{auth_dpop, request_dpop};

let (dpop_token, header, claims) = auth_dpop(
    &key_data,
    "POST",
    "https://auth.example.com/oauth/token"
)?;

OAuth Discovery

use atproto_oauth::resources::{discover_protected_resource, discover_authorization_server};

let protected_resource = discover_protected_resource(&client, pds_url).await?;
let auth_server = discover_authorization_server(&client, auth_server_url).await?;

License

MIT License

Dependencies

~14–29MB
~441K SLoC