src/oauth/endpoints/metadata.rs at 17e3fd87788390e445b4a8a8673656ce14b8984e · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / src / oauth / endpoints / metadata.rs
at 17e3fd87788390e445b4a8a8673656ce14b8984e 7.3 kB view raw
  1use crate::oauth::jwks::{JwkSet, create_jwk_set};
  2use crate::state::AppState;
  3use axum::{Json, extract::State};
  4use serde::{Deserialize, Serialize};
  5
  6#[derive(Debug, Serialize, Deserialize)]
  7pub struct ProtectedResourceMetadata {
  8    pub resource: String,
  9    pub authorization_servers: Vec<String>,
 10    pub bearer_methods_supported: Vec<String>,
 11    pub scopes_supported: Vec<String>,
 12    #[serde(skip_serializing_if = "Option::is_none")]
 13    pub resource_documentation: Option<String>,
 14}
 15
 16#[derive(Debug, Serialize, Deserialize)]
 17pub struct AuthorizationServerMetadata {
 18    pub issuer: String,
 19    pub authorization_endpoint: String,
 20    pub token_endpoint: String,
 21    pub jwks_uri: String,
 22    #[serde(skip_serializing_if = "Option::is_none")]
 23    pub registration_endpoint: Option<String>,
 24    #[serde(skip_serializing_if = "Option::is_none")]
 25    pub scopes_supported: Option<Vec<String>>,
 26    pub response_types_supported: Vec<String>,
 27    #[serde(skip_serializing_if = "Option::is_none")]
 28    pub response_modes_supported: Option<Vec<String>>,
 29    #[serde(skip_serializing_if = "Option::is_none")]
 30    pub grant_types_supported: Option<Vec<String>>,
 31    #[serde(skip_serializing_if = "Option::is_none")]
 32    pub token_endpoint_auth_methods_supported: Option<Vec<String>>,
 33    #[serde(skip_serializing_if = "Option::is_none")]
 34    pub token_endpoint_auth_signing_alg_values_supported: Option<Vec<String>>,
 35    #[serde(skip_serializing_if = "Option::is_none")]
 36    pub code_challenge_methods_supported: Option<Vec<String>>,
 37    #[serde(skip_serializing_if = "Option::is_none")]
 38    pub pushed_authorization_request_endpoint: Option<String>,
 39    #[serde(skip_serializing_if = "Option::is_none")]
 40    pub require_pushed_authorization_requests: Option<bool>,
 41    #[serde(skip_serializing_if = "Option::is_none")]
 42    pub dpop_signing_alg_values_supported: Option<Vec<String>>,
 43    #[serde(skip_serializing_if = "Option::is_none")]
 44    pub authorization_response_iss_parameter_supported: Option<bool>,
 45    #[serde(skip_serializing_if = "Option::is_none")]
 46    pub revocation_endpoint: Option<String>,
 47    #[serde(skip_serializing_if = "Option::is_none")]
 48    pub introspection_endpoint: Option<String>,
 49    #[serde(skip_serializing_if = "Option::is_none")]
 50    pub client_id_metadata_document_supported: Option<bool>,
 51}
 52
 53pub async fn oauth_protected_resource(
 54    State(_state): State<AppState>,
 55) -> Json<ProtectedResourceMetadata> {
 56    let pds_hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
 57    let public_url = format!("https://{}", pds_hostname);
 58    Json(ProtectedResourceMetadata {
 59        resource: public_url.clone(),
 60        authorization_servers: vec![public_url],
 61        bearer_methods_supported: vec!["header".to_string()],
 62        scopes_supported: vec![],
 63        resource_documentation: Some("https://atproto.com".to_string()),
 64    })
 65}
 66
 67pub async fn oauth_authorization_server(
 68    State(_state): State<AppState>,
 69) -> Json<AuthorizationServerMetadata> {
 70    let pds_hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
 71    let issuer = format!("https://{}", pds_hostname);
 72    Json(AuthorizationServerMetadata {
 73        issuer: issuer.clone(),
 74        authorization_endpoint: format!("{}/oauth/authorize", issuer),
 75        token_endpoint: format!("{}/oauth/token", issuer),
 76        jwks_uri: format!("{}/oauth/jwks", issuer),
 77        registration_endpoint: None,
 78        scopes_supported: Some(vec![
 79            "atproto".to_string(),
 80            "transition:generic".to_string(),
 81            "transition:chat.bsky".to_string(),
 82            "repo:*".to_string(),
 83            "repo:*?action=create".to_string(),
 84            "repo:*?action=read".to_string(),
 85            "repo:*?action=update".to_string(),
 86            "repo:*?action=delete".to_string(),
 87            "blob:*/*".to_string(),
 88            "rpc:*".to_string(),
 89            "account:*".to_string(),
 90            "account:*?action=read".to_string(),
 91            "account:*?action=write".to_string(),
 92            "identity:*".to_string(),
 93        ]),
 94        response_types_supported: vec!["code".to_string()],
 95        response_modes_supported: Some(vec!["query".to_string(), "fragment".to_string()]),
 96        grant_types_supported: Some(vec![
 97            "authorization_code".to_string(),
 98            "refresh_token".to_string(),
 99        ]),
100        token_endpoint_auth_methods_supported: Some(vec![
101            "none".to_string(),
102            "private_key_jwt".to_string(),
103        ]),
104        token_endpoint_auth_signing_alg_values_supported: Some(vec![
105            "ES256".to_string(),
106            "ES384".to_string(),
107            "ES512".to_string(),
108            "EdDSA".to_string(),
109        ]),
110        code_challenge_methods_supported: Some(vec!["S256".to_string()]),
111        pushed_authorization_request_endpoint: Some(format!("{}/oauth/par", issuer)),
112        require_pushed_authorization_requests: Some(true),
113        dpop_signing_alg_values_supported: Some(vec![
114            "ES256".to_string(),
115            "ES384".to_string(),
116            "ES512".to_string(),
117            "EdDSA".to_string(),
118        ]),
119        authorization_response_iss_parameter_supported: Some(true),
120        revocation_endpoint: Some(format!("{}/oauth/revoke", issuer)),
121        introspection_endpoint: Some(format!("{}/oauth/introspect", issuer)),
122        client_id_metadata_document_supported: Some(true),
123    })
124}
125
126pub async fn oauth_jwks(State(_state): State<AppState>) -> Json<JwkSet> {
127    use crate::config::AuthConfig;
128    use crate::oauth::jwks::Jwk;
129    let config = AuthConfig::get();
130    let server_key = Jwk {
131        kty: "EC".to_string(),
132        key_use: Some("sig".to_string()),
133        kid: Some(config.signing_key_id.clone()),
134        alg: Some("ES256".to_string()),
135        crv: Some("P-256".to_string()),
136        x: Some(config.signing_key_x.clone()),
137        y: Some(config.signing_key_y.clone()),
138    };
139    Json(create_jwk_set(vec![server_key]))
140}
141
142#[derive(Debug, Serialize, Deserialize)]
143pub struct FrontendClientMetadata {
144    pub client_id: String,
145    pub client_name: String,
146    pub client_uri: String,
147    pub redirect_uris: Vec<String>,
148    pub grant_types: Vec<String>,
149    pub response_types: Vec<String>,
150    pub scope: String,
151    pub token_endpoint_auth_method: String,
152    pub application_type: String,
153    pub dpop_bound_access_tokens: bool,
154}
155
156pub async fn frontend_client_metadata(
157    State(_state): State<AppState>,
158) -> Json<FrontendClientMetadata> {
159    let pds_hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
160    let base_url = format!("https://{}", pds_hostname);
161    let client_id = format!("{}/oauth/client-metadata.json", base_url);
162    Json(FrontendClientMetadata {
163        client_id,
164        client_name: "PDS Account Manager".to_string(),
165        client_uri: base_url.clone(),
166        redirect_uris: vec![format!("{}/", base_url)],
167        grant_types: vec![
168            "authorization_code".to_string(),
169            "refresh_token".to_string(),
170        ],
171        response_types: vec!["code".to_string()],
172        scope: "atproto transition:generic".to_string(),
173        token_endpoint_auth_method: "none".to_string(),
174        application_type: "web".to_string(),
175        dpop_bound_access_tokens: false,
176    })
177}