Home A - Z
Page Index

Commit 829633

2026-03-15 01:48:47 Claude (MCP): [mcp] Fix reference implementation description: authlib.jose, not joserfc
Design/VPS_Architecture.md ..
@@ 194,13 194,13 @@
### Reference implementation
- Bluesky maintains a Python Flask OAuth demo in `bluesky-social/cookbook/python-oauth-web-app` (CC-0 licensed). It implements the full ATProto OAuth flow as a confidential client using `authlib` for PKCE and DPoP, with `joserfc` for JWT/JWK handling. This is the starting point for our auth service. It handles the hard parts: handle-to-DID resolution, PDS Authorization Server discovery, PAR, DPoP nonce management, and token refresh.
+ Bluesky maintains a Python Flask OAuth demo in `bluesky-social/cookbook/python-oauth-web-app` (CC-0 licensed). It implements the full ATProto OAuth flow as a confidential client using `authlib` for PKCE, DPoP, JWK/JWT, and code challenge. This is the starting point for our auth service. It handles the hard parts: handle-to-DID resolution, PDS Authorization Server discovery, PAR, DPoP nonce management, and token refresh. See [[Dev/V3_V5_Risk_Research]] for detailed assessment.
Key libraries from the reference implementation:
- - `authlib` — PKCE, code challenge, general OAuth utilities
- - `joserfc` — JWK generation, JWT signing/verification, DPoP proof creation
- - `requests` — HTTP client for PDS communication (the demo includes a hardened HTTP client with SSRF mitigations)
+ - `authlib>=1.3` — PKCE, JWK/JWT, DPoP proof creation, code challenge
+ - `dnspython>=2.6` — DNS TXT lookups for handle resolution
+ - `requests>=2.32` + `requests-hardened>=1.0.0b3` — HTTP client with SSRF mitigations
### MCP OAuth (Claude.ai)
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9