### Authorization Request Example (HTTP) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt An example of an HTTP GET request constructed by a client to initiate the authorization code flow. It includes required parameters like response_type, client_id, and optional parameters like state and redirect_uri. ```http GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com ``` -------------------------------- ### Run Database Example Source: https://github.com/197g/oxide-auth/blob/master/oxide-auth-db/Readme.md This command executes the database example provided by the oxide-auth-db crate. Ensure you have a Redis server running and a test client added before running this command. ```bash $ cargo run db-example ``` -------------------------------- ### OAuth 2.0 Authorization Request Example (HTTP) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt An example of an HTTP GET request constructed by a client to initiate the OAuth 2.0 authorization process using the implicit grant. It includes required and optional parameters like response_type, client_id, and redirect_uri. ```http GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com ``` -------------------------------- ### Authorization Server Metadata Example Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc8414.txt An example of the JSON structure for OAuth 2.0 Authorization Server Metadata. This includes the issuer identifier, supported UI locales, and other relevant information. ```json { "issuer": "http://server.example.com", "authorization_endpoint": "https://server.example.com/authorize", "token_endpoint": "https://server.example.com/token", "jwks_uri": "https://server.example.com/jwks.json", "response_types_supported": [ "code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token" ], "subject_types_supported": [ "public" ], "scopes_supported": [ "openid", "profile", "email", "address", "phone" ], "response_modes_supported": [ "query", "fragment", "form_post" ], "grant_types_supported": [ "authorization_code", "implicit", "refresh_token" ], "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ], "claims_supported": [ "sub", "iss", "aud", "exp", "iat", "auth_time", "nonce", "name", "given_name", "family_name", "nickname", "email", "email_verified", "picture" ], "ui_locales_supported": [ "en-US", "en-GB", "en-CA", "fr-FR", "fr-CA" ] } ``` -------------------------------- ### Example Authorization Server Metadata Response (JSON) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc8414.txt Provides a non-normative example of a successful HTTP response for authorization server metadata. The response is a JSON object containing various claims about the server's configuration. ```json HTTP/1.1 200 OK Content-Type: application/json { "issuer": "https://server.example.com", "authorization_endpoint": "https://server.example.com/authorize", "token_endpoint": "https://server.example.com/token", "token_endpoint_auth_methods_supported": ["client_secret_basic", "private_key_jwt"], "token_endpoint_auth_signing_alg_values_supported": ["RS256", "ES256"], "userinfo_endpoint": "https://server.example.com/userinfo", "jwks_uri": "https://server.example.com/jwks.json", "registration_endpoint": "https://server.example.com/register", "scopes_supported": ["openid", "profile", "email", "address", "phone", "offline_access"], "response_types_supported": ["code", "code token"], "service_documentation": "https://server.example.com/doc" } ``` -------------------------------- ### Example Token Introspection Request (Basic Auth) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc7662.txt This example shows a POST request to the token introspection endpoint authenticated using Basic authentication. It includes the token and an optional 'token_type_hint'. ```http POST /introspect HTTP/1.1 Host: server.example.com Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=mF_9.B5f-4.1JqM&token_type_hint=access_token ``` -------------------------------- ### Access Token Usage Examples Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt Illustrates how clients use different access token types to authenticate with resource servers, specifically focusing on the 'Authorization' header. ```APIDOC ## Access Token Usage Examples ### Description This section provides examples of how clients can use different types of access tokens to make requests to protected resources. It highlights the use of the `Authorization` HTTP header. ### Method GET ### Endpoint `/resource/{id}` ### Parameters #### Path Parameters - **id** (string) - Required - The identifier of the resource to access. #### Query Parameters None #### Request Body None ### Request Example #### Bearer Token Example ```http GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer mF_9.B5f-4.1JqM ``` #### MAC Token Example ```http GET /resource/1 HTTP/1.1 Host: example.com Authorization: MAC id="h480djs93hd8", nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE=" ``` ### Response #### Success Response (200) - **resource_data** (object) - The requested resource data. #### Response Example ```json { "resource_data": { "key": "value" } } ``` ``` -------------------------------- ### OAuth 2.0 Access Token Response Example (HTTP) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt An example of an HTTP 302 Found response from an authorization server, redirecting the user-agent back to the client's callback URI with the access token and other parameters embedded in the URI fragment. ```http HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA ``` -------------------------------- ### OAuth 2.0 Access Token Response Example Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt An example of a successful HTTP response from an authorization server after a valid access token request. It includes the access token, token type, expiration time, and optional refresh token and other parameters. ```http HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" } ``` -------------------------------- ### Authorization Response Example (HTTP) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt An example of an HTTP 302 Found response from the authorization server, redirecting the user-agent back to the client with an authorization code and the state parameter. The authorization code is a temporary credential. ```http HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz ``` -------------------------------- ### HTTP GET Request for Authorization Server Metadata Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc8414.txt Demonstrates how a client should construct an HTTP GET request to retrieve authorization server metadata. It covers cases with and without a path component in the issuer identifier. ```http GET /.well-known/oauth-authorization-server HTTP/1.1 Host: example.com ``` ```http GET /.well-known/oauth-authorization-server/issuer1 HTTP/1.1 Host: example.com ``` -------------------------------- ### Resource Owner Password Credentials Access Token Response Example Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt An example HTTP 200 OK response from an authorization server to a client after a successful Resource Owner Password Credentials grant request. The response body is in JSON format and includes the access token, token type, expiration time, and an optional refresh token. ```json { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" } ``` -------------------------------- ### Example Access Token Response Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6750.txt Illustrates a typical successful response when an OAuth 2.0 access token is issued, including token type, expiration, and refresh token. ```APIDOC ## Example Access Token Response ### Description Provides an example of a successful OAuth 2.0 access token response, commonly returned by an authorization server. ### Method N/A (Describes a successful token response) ### Endpoint N/A (Describes a successful token response) ### Parameters None ### Request Example None ### Response #### Success Response (200 OK) - **access_token** (string) - The issued access token. - **token_type** (string) - The type of the token, typically "Bearer". - **expires_in** (integer) - The lifetime in seconds of the access token. - **refresh_token** (string) - The refresh token, used to obtain a new access token. #### Response Example ``` HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" } ``` ``` -------------------------------- ### Query Parameter Deserialization Example Source: https://github.com/197g/oxide-auth/blob/master/Migration.md Demonstrates the correct way to deserialize URL query parameters using `serde_urlencoded`. It highlights the issue with directly deserializing to `HashMap` and recommends deserializing to `Vec<(String, String)>` and then converting to a suitable collection. ```Rust /// Incorrect deserialization //! // serde_urlencoded::from_str::>(query)?.normalize(); /// Correct deserialization // let params: Vec<(String, String)> = serde_urlencoded::from_str(query)?; // let normalized_params: HashMap = params.into_iter().collect(); ``` -------------------------------- ### Complete OAuth2 Server Example (Rust) Source: https://context7.com/197g/oxide-auth/llms.txt This snippet shows a full OAuth2 server implementation using actix-web. It sets up the application state with an OAuth endpoint, defines handlers for authorization, token, and refresh requests, and configures the actix-web server. Dependencies include actix-web and oxide-auth. ```rust use actix::{Actor, Context, Handler}; use actix_web::{web, App, HttpServer, HttpRequest}; use oxide_auth::endpoint::{OwnerConsent, OwnerSolicitor, Solicitation}; use oxide_auth::frontends::simple::endpoint::{Generic, Vacant, FnSolicitor, ErrorInto}; use oxide_auth::primitives::prelude::*; use oxide_auth_actix::{ OAuthRequest, OAuthResponse, OAuthMessage, OAuthOperation, Authorize, Token, Refresh, Resource, WebError }; // Application state holding the OAuth endpoint struct OAuthState { endpoint: Generic< ClientMap, AuthMap, TokenMap, Vacant, Vec, fn() -> OAuthResponse, >, } impl OAuthState { fn new() -> Self { OAuthState { endpoint: Generic { registrar: vec![ Client::confidential( "my-client", "http://localhost:8080/callback" .parse::().unwrap().into(), "read write".parse().unwrap(), b"my-client-secret", ) ].into_iter().collect(), authorizer: AuthMap::new(RandomGenerator::new(16)), issuer: TokenMap::new(RandomGenerator::new(32)), solicitor: Vacant, scopes: vec!["read".parse().unwrap(), "write".parse().unwrap()], response: OAuthResponse::ok, }, } } } // Make OAuthState an Actor impl Actor for OAuthState { type Context = Context; } // Handle OAuth operations sent as messages impl Handler> for OAuthState { type Result = Result; fn handle(&mut self, msg: OAuthMessage, _ctx: &mut Context) -> Self::Result { let (op, _) = msg.into_inner(); op.run(&mut self.endpoint) } } // Route handlers async fn authorize( req: OAuthRequest, state: web::Data>, ) -> Result { state.send(Authorize(req).wrap(())).await? } async fn token( req: OAuthRequest, state: web::Data>, ) -> Result { state.send(Token(req).wrap(())).await? } async fn refresh( req: OAuthRequest, state: web::Data>, ) -> Result { state.send(Refresh(req).wrap(())).await? } // Example main function setup // #[actix_web::main] // async fn main() -> std::io::Result<()> { // let state = OAuthState::new().start(); // HttpServer::new(move || { // App::new() // .app_data(web::Data::new(state.clone())) // .route("/authorize", web::get().to(authorize)) // .route("/authorize", web::post().to(authorize)) // .route("/token", web::post().to(token)) // .route("/refresh", web::post().to(refresh)) // }) // .bind("127.0.0.1:8080")? // .run() // .await // } ``` -------------------------------- ### GET /revoke (JSONP Support) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc7009.txt The revocation endpoint MAY support Cross-Origin Resource Sharing (CORS) and JSONP for interoperability with legacy user-agents. This allows GET requests with an additional 'callback' parameter. ```APIDOC ## GET /revoke?token=...&callback=... ### Description Supports GET requests with a 'callback' parameter for JSONP responses, allowing revocation requests from user-agent-based applications. ### Method GET ### Endpoint /revoke ### Query Parameters - **token** (string) - Required - The token to be revoked. - **token_type_hint** (string) - Optional - A hint about the type of the token. - **callback** (string) - Optional - The qualified name of a JavaScript function to wrap the response. ### Request Example ``` https://example.com/revoke?token=agabcdefddddafdd&callback=package.myCallback ``` ### Response #### Success Response (200) - **Description**: The token was successfully revoked or was invalid. The response is wrapped in the specified JavaScript callback function. #### Response Example (Success) ```javascript package.myCallback(); ``` #### Error Response - **Description**: An error occurred during revocation. The response is wrapped in the specified JavaScript callback function. #### Response Example (Error) ```javascript package.myCallback({"error":"unsupported_token_type"}); ``` ``` -------------------------------- ### Example Token Introspection Request (Bearer Token Auth) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc7662.txt This example demonstrates a POST request to the token introspection endpoint using a bearer token for authorization. The request body includes the token to be introspected. ```http POST /introspect HTTP/1.1 Host: server.example.com Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Bearer 23410913-abewfq.123483 token=2YotnFZFEjr1zCsicMWpAA ``` -------------------------------- ### OAuth 2.0 Access Token Request Example (HTTP POST) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt Demonstrates an HTTP POST request from a client to an authorization server's token endpoint. This request includes necessary parameters like grant_type, code, redirect_uri, and client_id, along with client authentication in the Authorization header. It uses the 'application/x-www-form-urlencoded' format. ```http POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb ``` -------------------------------- ### Token Endpoint Request Example (HTTP) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt Example of a request to the token endpoint to refresh an access token using client ID and secret in the request body. This method is not recommended for clients capable of HTTP Basic authentication. ```http POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA &client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw ``` -------------------------------- ### Add Test Client to Redis Source: https://github.com/197g/oxide-auth/blob/master/oxide-auth-db/Readme.md This command demonstrates how to add a test client to a Redis server. It uses the 'set' command to store client details in JSON format, including client ID, redirect URI, and a hashed client secret. ```bash set LocalClient "{\"client_id\":\"LocalClient\",\"redirect_uri\":\"http://localhost:8021/endpoint\",\"additional_redirect_uris\":[],\"default_scope\":\"default-scope\",\"client_secret\":\"$argon2i$v=19$m=4096,t=3,p=1$FAnLM+AwjNhHrKA2aCVxQDmbPHC6jc4xyiX1ioxr66g$7PXkjalEW6ynIrkWDY86zaplnox919Tbd+wlDOmhLDg\"}" ``` -------------------------------- ### Token Revocation Request Example Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc7009.txt This example demonstrates how a client can request the revocation of a refresh token by sending an HTTP POST request to the token revocation endpoint. It includes the token to be revoked and an optional hint about the token type. ```http POST /revoke HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token ``` -------------------------------- ### Access Token Request (Client Credentials) Source: https://github.com/197g/oxide-auth/blob/master/docs/rfc6749.txt Example HTTP request for obtaining an access token using the client credentials grant type. It includes the necessary 'grant_type' parameter and demonstrates client authentication via the Authorization header. ```http POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials ```