fix(auth): use token_endpoint_auth_method 'none' for browser OAuth client
Author: Aaron Steven White
Commit
7a688077042a3f80d6096cf0d764edebc3edb151Parent: 75f6e96a41
Structural diff unavailable
These commits were pushed via plain git push, so no pre-parsed
schemas are available. Install git-remote-cospan and re-push via panproto:// to
see scope-level changes, breaking change detection, and semantic diffs.
brew install panproto/tap/git-remote-cospan3 files changed +6 -4
@@ -7,7 +7,7 @@ members = [
77 resolver = "2" 88 99 [workspace.package] 10-version = "0.2.0" 10+version = "0.2.1" 1111 edition = "2024" 1212 license = "AGPL-3.0-or-later" 1313 repository = "https://github.com/cospan-dev/cospan"
@@ -12,10 +12,14 @@ let currentAgent: Agent | null = null;
1212 function getClientId(): string { 1313 if (typeof window === 'undefined') return 'http://localhost'; 1414 const { hostname, port, pathname } = window.location; 15+ 16+ // Loopback mode for local development 1517 if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '[::1]') { 1618 const redirectUri = `http://127.0.0.1${port ? `:${port}` : ''}${pathname}`; 1719 return `http://localhost?redirect_uri=${encodeURIComponent(redirectUri)}`; 1820 } 21+ 22+ // Production: use client metadata URL (served by appview, proxied through SvelteKit) 1923 return `${window.location.origin}/oauth/client-metadata.json`; 2024 } 2125
@@ -53,10 +53,8 @@ async fn client_metadata(State(state): State<Arc<AppState>>) -> impl IntoRespons
5353 "response_types": ["code"], 5454 "scope": "atproto", 5555 "application_type": "web", 56- "token_endpoint_auth_method": "private_key_jwt", 57- "token_endpoint_auth_signing_alg": "ES256", 56+ "token_endpoint_auth_method": "none", 5857 "dpop_bound_access_tokens": true, 59- "jwks_uri": config.jwks_uri, 6058 }); 6159 6260 (