Open
Conversation
This also ensures we clearly signal to the DPoP request method whether we are talking to an authorization server or a resource server (since these give different OAuth Error responses). The test coverage has increased dramatically here.
This is actually generic OAuth token response logic, but the package is currently structured to make this bluesky specific.
This allows apps using the Bluesky client to retrieve the DID for the authenticated account from the Login.
ThisIsMissEm
commented
Mar 6, 2026
Comment on lines
+340
to
+345
| if let state = state { | ||
| if state != stateToken { | ||
| throw AuthenticatorError.stateTokenMismatch(state, stateToken) | ||
| } | ||
| } | ||
|
|
Contributor
Author
There was a problem hiding this comment.
I think we should be safe to remove this guard, since all authorization servers should pass through the state parameter to the redirect.
@mattmassicotte let me know if you'd agree with my assessment and then we can remove this check with:
Suggested change
| if let state = state { | |
| if state != stateToken { | |
| throw AuthenticatorError.stateTokenMismatch(state, stateToken) | |
| } | |
| } | |
| if state != stateToken { | |
| throw AuthenticatorError.stateTokenMismatch(state, stateToken) | |
| } |
ThisIsMissEm
commented
Mar 6, 2026
| let errorDescription = redirectParams.firstQueryValue("error_description") | ||
|
|
||
| if let error = error { | ||
| switch error.lowercased() { |
Contributor
Author
There was a problem hiding this comment.
There are some additional errors here: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
ThisIsMissEm
commented
Mar 6, 2026
Comment on lines
+358
to
+361
| // We do actually have error and error_description parameters, so | ||
| // could create a more specific error than missingAuthorizationCode | ||
| throw AuthenticatorError.missingAuthorizationCode | ||
| } |
Contributor
Author
There was a problem hiding this comment.
If we wanted to pass back the complete error such that other code could handle it potentially:
Suggested change
| // We do actually have error and error_description parameters, so | |
| // could create a more specific error than missingAuthorizationCode | |
| throw AuthenticatorError.missingAuthorizationCode | |
| } | |
| throw AuthenticatorError.unrecognizedError(error, errorDescription ?? "") | |
| } |
This was referenced Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This lifts up the checks for:
stateparameter correctly)issparam withconfig.tokenHandling.issuerif set)Fixes handling of OAuth Errors, since this is generic, and fixes #36.