atproto OAuth Flask Backend Demo

[bnewbold]

The README gives an overview and getting started directions.

This is a example project showing how to implement an Python web service which uses atproto OAuth for authentication. It uses Flask as a web framework, and sqlite as a database to store session tokens.

Progress/status:

• [x] resolve atproto identity (handle and DID)
• [x] fetch PDS and authorization server metadata
• [x] send PAR request to AS
• [x] save auth request state to database and forward user to auth endpoint
• [x] complete authorization flow using PKCE and DPoP, request initial tokens, verify that DID matches account from start of flow, persist tokens in database and set session cookie
• [x] perform basic PDS repo operation (bsky post) as proof of concept, demonstrating use of access token and DPoP
• [x] minimal SSRF protections
• [x] use DPoP as part of PAR request
• [x] demonstrate token refresh
• [x] update "TODO" parts to work with scopes etc
• [ ] maybe: track token lifetime and auto-refresh
• [ ] maybe: destroy tokens on logout (by calling auth server token revocation endpoint)
• [ ] maybe: demonstrate token introspection endpoint

It might also be helpful to have a "public" client example in python? But don't want to over-complicate this codebase.

[ngerakines]

Can this proof-of-concept also include JWT validation for tokens sent from the PDS?

[bnewbold]

@ngerakines the current spec semantics are that the authorization server tokens are opaque strings. they are indeed JWTs in the case of the bsky PDS/entryway implementation, but I think this demo shouldn't assume that

[bnewbold]

There is a demo version of this deployed at: https://oauth-flask.demo.bsky.dev/

It has been updated to be inline with the current draft spec (https://github.com/bluesky-social/atproto-website/pull/326), as of just now. Any discrepancies are a bug!

This is ready for final review and merge.