oauth/io.github.kikin81.atproto.oauth/DpopAuthProvider

DpopAuthProvider

class DpopAuthProvider(session: OAuthSession, signer: DpopSigner, sessionStore: OAuthSessionStore, refreshClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true }) : AuthProvider

AuthProvider implementation that attaches DPoP proof-of-possession headers on every XRPC request and handles token refresh transparently.

On each request, produces:

  • Authorization: DPoP <access_token>

  • DPoP: <signed-jwt-proof> (with ath, htm, htu, nonce)

When the PDS responds with HTTP 401:

  • If DPoP-Nonce header is present → stores the nonce, retries

  • If the access token is expired → refreshes via the token endpoint with the DPoP-bound refresh token, retries

  • If the refresh token is revoked → clears the session, throws OAuthSessionExpiredException

Refresh operations are serialized with a Mutex to prevent concurrent refreshes from invalidating the session.

Constructors

Link copied to clipboard
constructor(session: OAuthSession, signer: DpopSigner, sessionStore: OAuthSessionStore, refreshClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true })

Functions

Link copied to clipboard
open suspend override fun authHeaders(method: String, url: String): Map<String, String>
Link copied to clipboard
open suspend override fun onUnauthorized(responseHeaders: Map<String, String>): Boolean

Called by XrpcClient on HTTP 401. First checks for a new DPoP-Nonce header (nonce rotation). If no new nonce, assumes the access token is expired and attempts a transparent refresh.