getServerMetadata method
Fetches OAuth 2.0 Authorization Server Metadata (RFC 8414) from
https://<service>/.well-known/oauth-authorization-server.
Validates that the advertised issuer matches the configured
service origin as required by RFC 8414 Section 3.3.
Throws an OAuthException when the document cannot be fetched or parsed, or when the issuer does not match.
Note: service must be the authorization server (entryway) host itself. Use resolveFromPds or resolveFromIdentity to discover the authorization server from a PDS URL or a user identity first.
Implementation
Future<OAuthServerMetadata> getServerMetadata() async {
final response = await _get(_wellKnownServerMetadataUri);
if (response.statusCode != 200) {
throw OAuthException(
'Failed to get authorization server metadata: '
'${response.statusCode}',
);
}
final json = _tryDecodeJsonMap(response.body);
if (json == null) {
throw OAuthException(
'Failed to parse authorization server metadata: '
'response is not a JSON object',
);
}
final serverMetadata = OAuthServerMetadata.fromJson(json);
_validateIssuerOrigin(serverMetadata.issuer);
return serverMetadata;
}