Skip to content

fix(oauth): correct response_mode default and add userinfo endpoint #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ascorbic merged 1 commit into from
Jan 5, 2026
Merged

fix(oauth): correct response_mode default and add userinfo endpoint #77

ascorbic merged 1 commit into from
Jan 5, 2026

Conversation

@ascorbic
Copy link
Owner

@ascorbic ascorbic commented Jan 5, 2026

Summary

Fixes #73 - Login denied on pckt.blog

  • Fix response_mode default: Changed from fragment to query for authorization code flow per RFC 6749. Server-side apps can now receive the authorization code in the query string (?code=...) instead of the URL fragment (#code=...).

  • Add /oauth/userinfo endpoint: Returns the user's DID (sub) and handle (preferred_username) for OpenID Connect compatibility. This endpoint is required by some OAuth clients after token exchange.

  • Add private_key_jwt client authentication: Implements RFC 7523 JWT Bearer client authentication for confidential OAuth clients, with inline JWKS and remote JWKS URI support.

Test plan

  • All existing OAuth tests pass (66 tests)
  • New client-auth tests pass (17 tests)
  • Tested login flow with pckt.blog - successful authentication
  • Verified tokens are issued and userinfo endpoint returns correct data

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 5, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 atproto-pds 677f2db Jan 05 2026, 10:21 PM

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 5, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/create-pds@77

npm i https://pkg.pr.new/@getcirrus/oauth-provider@77

npm i https://pkg.pr.new/@getcirrus/pds@77

commit: 677f2db

@ascorbic
fix(oauth): correct response_mode default and add userinfo endpoint
677f2db 
- Fix default response_mode from "fragment" to "query" for authorization
  code flow per RFC 6749. This allows server-side apps to receive the
  authorization code in the query string instead of the URL fragment.

- Add /oauth/userinfo endpoint that returns the user's DID (sub) and
  handle (preferred_username) after validating the access token.

- Add private_key_jwt client authentication support (RFC 7523) for
  confidential OAuth clients, with full JWT assertion validation.

- Add userinfo_endpoint to OAuth server metadata for client discovery.

Fixes #73
@ascorbic ascorbic force-pushed the fix/oauth-response-mode-and-userinfo branch from d9bb353 to 677f2db Compare January 5, 2026 22:20
@ascorbic ascorbic merged commit 2ea70ce into main Jan 5, 2026
5 checks passed
@ascorbic ascorbic deleted the fix/oauth-response-mode-and-userinfo branch January 5, 2026 22:23
@mixie-bot mixie-bot bot mentioned this pull request Jan 5, 2026
Merged
@simtheverse simtheverse mentioned this pull request Jan 6, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Login denied on pckt.blog

2 participants

@ascorbic