oauth/io.github.kikin81.atproto.oauth

Package-level declarations

AtOAuth flow orchestrator, DpopAuthProvider, OAuthSession(Store), DpopSigner, and the exceptions thrown when a session expires or a step in the OAuth flow fails.

Types

AtOAuth

class AtOAuth(clientMetadataUrl: String, redirectUri: String, sessionStore: OAuthSessionStore, httpClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true }, scope: String = "atproto transition:generic")

AT Protocol OAuth 2.0 flow orchestrator for public clients.

AuthServerMetadata

data class AuthServerMetadata(val issuer: String, val authorizationEndpoint: String, val tokenEndpoint: String, val parEndpoint: String, val revocationEndpoint: String?, val pdsUrl: String?, val did: String?, val handle: String?, val promptValuesSupported: List<String> = emptyList())

Resolved authorization server metadata — everything the OAuth flow needs to construct PAR requests, authorization URLs, and token exchange calls.

DiscoveryChain

class DiscoveryChain(httpClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true })

Implements the AT Protocol discovery chain:

DpopAuthProvider

class DpopAuthProvider(session: OAuthSession, signer: DpopSigner, sessionStore: OAuthSessionStore, refreshClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true }) : AuthProvider

AuthProvider implementation that attaches DPoP proof-of-possession headers on every XRPC request and handles token refresh transparently.

DpopSigner

class DpopSigner

Signs DPoP proof JWTs using EC P-256 (ES256) per RFC 9449.

OAuthAccountMismatchException

class OAuthAccountMismatchException(message: String) : RuntimeException

OAuthDiscoveryException

class OAuthDiscoveryException(message: String, cause: Throwable? = null) : RuntimeException

OAuthException

class OAuthException(message: String, cause: Throwable? = null) : RuntimeException

OAuthSession

@Serializable

data class OAuthSession(val accessToken: String, val refreshToken: String, val did: String?, val handle: String?, val pdsUrl: String?, val tokenEndpoint: String, val revocationEndpoint: String? = null, val clientId: String? = null, val dpopPrivateKey: ByteArray, val dpopPublicKey: ByteArray, val authServerNonce: String? = null, val clockOffsetSeconds: Long = 0, val pdsNonce: String? = null)

Persisted OAuth session state. Contains everything needed to make authenticated XRPC requests and refresh the session when the access token expires.

OAuthSessionExpiredException

class OAuthSessionExpiredException(message: String, cause: Throwable? = null) : RuntimeException

OAuthSessionStore

interface OAuthSessionStore

Platform-agnostic session persistence interface. Consumers provide the storage backend — the module handles serialization.

OAuthSignupNotSupportedException

class OAuthSignupNotSupportedException(val authServerUrl: String, val advertisedPromptValues: List<String>) : RuntimeException

Thrown by AtOAuth.beginSignup when the configured authorization server's /.well-known/oauth-authorization-server metadata does not advertise "create" in prompt_values_supported. Per OIDC Prompt Create 1.0 the prompt=create value tells the server "render the signup UI"; servers that don't advertise the value may silently ignore it or reject the PAR.