getServerMetadata method

Future<OAuthServerMetadata> getServerMetadata()

Fetches OAuth 2.0 Authorization Server Metadata (RFC 8414) from https://<service>/.well-known/oauth-authorization-server.

Validates that the advertised issuer matches the configured service origin as required by RFC 8414 Section 3.3.

Throws an OAuthException when the document cannot be fetched or parsed, or when the issuer does not match.

Note: service must be the authorization server (entryway) host itself. Use resolveFromPds or resolveFromIdentity to discover the authorization server from a PDS URL or a user identity first.

Implementation

Future<OAuthServerMetadata> getServerMetadata() async {
  final response = await _get(_wellKnownServerMetadataUri);

  if (response.statusCode != 200) {
    throw OAuthException(
      'Failed to get authorization server metadata: '
      '${response.statusCode}',
    );
  }

  final json = _tryDecodeJsonMap(response.body);
  if (json == null) {
    throw OAuthException(
      'Failed to parse authorization server metadata: '
      'response is not a JSON object',
    );
  }

  final serverMetadata = OAuthServerMetadata.fromJson(json);
  _validateIssuerOrigin(serverMetadata.issuer);

  return serverMetadata;
}