oauth/io.github.kikin81.atproto.oauth/AtOAuth

AtOAuth

class AtOAuth(clientMetadataUrl: String, sessionStore: OAuthSessionStore, httpClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true })

AT Protocol OAuth 2.0 flow orchestrator for public clients.

Implements the full authorization flow: handle → DID → PDS → authorization server discovery, PAR with PKCE + DPoP, browser-based authorization, token exchange, and session management with transparent refresh.

Consumer usage

val oauth = AtOAuth(
    clientMetadataUrl = "https://app.example.com/oauth/client-metadata.json",
    sessionStore = mySessionStore,
    httpClient = myKtorClient,
)
// Step 1: get the authorization URL
val authUrl = oauth.beginLogin("alice.bsky.social")
// Step 2: open authUrl in a browser (Custom Tabs on Android)
// Step 3: capture the redirect URI
oauth.completeLogin(redirectUri)
// Step 4: use the authenticated client
val client = oauth.createClient()
FeedService(client).getTimeline()

Constructors

AtOAuth

constructor(clientMetadataUrl: String, sessionStore: OAuthSessionStore, httpClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true })

Functions

beginLogin

suspend fun beginLogin(handleOrDid: String): String

Starts the OAuth login flow.

completeLogin

suspend fun completeLogin(redirectUri: String)

Completes the OAuth login flow after the browser redirects back.

createClient

suspend fun createClient(): XrpcClient

Creates an authenticated XrpcClient from the persisted session. The client uses DpopAuthProvider for DPoP proof-of-possession on every request.

logout

suspend fun logout()

Revokes the current tokens on the authorization server, then clears the persisted session. If revocation fails (network error, missing endpoint), the local session is still cleared.