OAuthClient class final
A customizable, dependency-injected atproto OAuth 2.0 client.
The authorization server for an account is resolved dynamically on every call from the account's identity (handle/DID) or its PDS, so a single OAuthClient instance can authenticate accounts hosted on any PDS.
The moving parts are all injectable so callers can plug in durable / secure storage and platform-backed crypto:
- IdentityResolver — handle/DID → PDS + DID resolution.
- OAuthStateStore — per-authorization state carried from authorize to
callback, keyed by the
stateparameter. - OAuthSessionStore — issued OAuthSessions, keyed by account
sub. - DPoPNonceCache — the most recent DPoP nonce, keyed by URL origin.
- DPoPSigner — DPoP key generation and proof signing.
Every atproto OAuth security check is enforced: PKCE (RFC 7636), PAR
(RFC 9126), DPoP (RFC 9449), RFC 9207 iss validation, RFC 8414 issuer
origin matching, constant-time state comparison, and account-identity
(sub = DID) verification. Access and refresh tokens are treated as
opaque strings and are never parsed as JWTs.
Constructors
- OAuthClient(OAuthClientMetadata metadata, {IdentityResolver? identityResolver, OAuthStateStore? stateStore, OAuthSessionStore? sessionStore, DPoPNonceCache? nonceCache, DPoPSigner? signer, Client? httpClient})
Properties
- hashCode → int
-
The hash code for this object.
no setterinherited
- metadata → OAuthClientMetadata
-
Client metadata to be used during authentication.
final
- runtimeType → Type
-
A representation of the runtime type of the object.
no setterinherited
Methods
-
Initiates an OAuth 2.0 authorization request for
identityusing Pushed Authorization Requests (PAR) with PKCE and DPoP. -
callback(
String callbackUrl) → Future< OAuthSession> - Processes the OAuth 2.0 authorization callback and exchanges the authorization code for a DPoP-bound OAuthSession.
-
noSuchMethod(
Invocation invocation) → dynamic -
Invoked when a nonexistent method or property is accessed.
inherited
-
refresh(
OAuthSession session) → Future< OAuthSession> -
Refreshes
sessionusing the DPoP-bound refresh token flow. -
restore(
String sub) → Future< OAuthSession?> -
Restores a stored session for
sub, refreshing it if it has expired. -
revoke(
OAuthSession session) → Future< void> -
Best-effort revocation of
session. -
toString(
) → String -
A string representation of this object.
inherited
Operators
-
operator ==(
Object other) → bool -
The equality operator.
inherited