oauth/io.github.kikin81.atproto.oauth

Package-level declarations

AtOAuth flow orchestrator, DpopAuthProvider, OAuthSession(Store), DpopSigner, and the exceptions thrown when a session expires or a step in the OAuth flow fails.

Types

AtOAuth

class AtOAuth(clientMetadataUrl: String, sessionStore: OAuthSessionStore, httpClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true })

AT Protocol OAuth 2.0 flow orchestrator for public clients.

AuthServerMetadata

data class AuthServerMetadata(val issuer: String, val authorizationEndpoint: String, val tokenEndpoint: String, val parEndpoint: String, val revocationEndpoint: String?, val pdsUrl: String, val did: String, val handle: String)

Resolved authorization server metadata — everything the OAuth flow needs to construct PAR requests, authorization URLs, and token exchange calls.

DiscoveryChain

class DiscoveryChain(httpClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true })

Implements the AT Protocol discovery chain:

DpopAuthProvider

class DpopAuthProvider(session: OAuthSession, signer: DpopSigner, sessionStore: OAuthSessionStore, refreshClient: HttpClient, json: Json = Json { ignoreUnknownKeys = true }) : AuthProvider

AuthProvider implementation that attaches DPoP proof-of-possession headers on every XRPC request and handles token refresh transparently.

DpopSigner

class DpopSigner

Signs DPoP proof JWTs using EC P-256 (ES256) per RFC 9449.

OAuthAccountMismatchException

class OAuthAccountMismatchException(message: String) : RuntimeException

OAuthDiscoveryException

class OAuthDiscoveryException(message: String, cause: Throwable? = null) : RuntimeException

OAuthException

class OAuthException(message: String, cause: Throwable? = null) : RuntimeException

OAuthSession

@Serializable

data class OAuthSession(val accessToken: String, val refreshToken: String, val did: String, val handle: String, val pdsUrl: String, val tokenEndpoint: String, val revocationEndpoint: String? = null, val clientId: String? = null, val dpopPrivateKey: ByteArray, val dpopPublicKey: ByteArray, val authServerNonce: String? = null, val clockOffsetSeconds: Long = 0, val pdsNonce: String? = null)

Persisted OAuth session state. Contains everything needed to make authenticated XRPC requests and refresh the session when the access token expires.

OAuthSessionExpiredException

class OAuthSessionExpiredException(message: String, cause: Throwable? = null) : RuntimeException

OAuthSessionStore

interface OAuthSessionStore

Platform-agnostic session persistence interface. Consumers provide the storage backend — the module handles serialization.