RubyGems - atproto_auth - Versions diffs - 0.0.1 - Mend

atproto_auth 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

checksums.yaml +7 -0
data/.rubocop.yml +16 -0
data/CHANGELOG.md +5 -0
data/LICENSE.txt +21 -0
data/README.md +179 -0
data/Rakefile +16 -0
data/examples/confidential_client/Gemfile +12 -0
data/examples/confidential_client/Gemfile.lock +84 -0
data/examples/confidential_client/README.md +110 -0
data/examples/confidential_client/app.rb +136 -0
data/examples/confidential_client/config/client-metadata.json +25 -0
data/examples/confidential_client/config.ru +4 -0
data/examples/confidential_client/public/client-metadata.json +24 -0
data/examples/confidential_client/public/styles.css +70 -0
data/examples/confidential_client/scripts/generate_keys.rb +15 -0
data/examples/confidential_client/views/authorized.erb +29 -0
data/examples/confidential_client/views/index.erb +44 -0
data/examples/confidential_client/views/layout.erb +11 -0
data/lib/atproto_auth/client.rb +410 -0
data/lib/atproto_auth/client_metadata.rb +264 -0
data/lib/atproto_auth/configuration.rb +17 -0
data/lib/atproto_auth/dpop/client.rb +122 -0
data/lib/atproto_auth/dpop/key_manager.rb +235 -0
data/lib/atproto_auth/dpop/nonce_manager.rb +138 -0
data/lib/atproto_auth/dpop/proof_generator.rb +112 -0
data/lib/atproto_auth/errors.rb +47 -0
data/lib/atproto_auth/http_client.rb +227 -0
data/lib/atproto_auth/identity/document.rb +104 -0
data/lib/atproto_auth/identity/resolver.rb +221 -0
data/lib/atproto_auth/identity.rb +24 -0
data/lib/atproto_auth/par/client.rb +203 -0
data/lib/atproto_auth/par/client_assertion.rb +50 -0
data/lib/atproto_auth/par/request.rb +140 -0
data/lib/atproto_auth/par/response.rb +23 -0
data/lib/atproto_auth/par.rb +40 -0
data/lib/atproto_auth/pkce.rb +105 -0
data/lib/atproto_auth/server_metadata/authorization_server.rb +175 -0
data/lib/atproto_auth/server_metadata/origin_url.rb +51 -0
data/lib/atproto_auth/server_metadata/resource_server.rb +71 -0
data/lib/atproto_auth/server_metadata.rb +24 -0
data/lib/atproto_auth/state/session.rb +117 -0
data/lib/atproto_auth/state/session_manager.rb +75 -0
data/lib/atproto_auth/state/token_set.rb +68 -0
data/lib/atproto_auth/state.rb +54 -0
data/lib/atproto_auth/version.rb +5 -0
data/lib/atproto_auth.rb +56 -0
data/sig/atproto_auth/client_metadata.rbs +95 -0
data/sig/atproto_auth/dpop/client.rbs +38 -0
data/sig/atproto_auth/dpop/key_manager.rbs +33 -0
data/sig/atproto_auth/dpop/nonce_manager.rbs +48 -0
data/sig/atproto_auth/dpop/proof_generator.rbs +42 -0
data/sig/atproto_auth/http_client.rbs +58 -0
data/sig/atproto_auth/identity/document.rbs +31 -0
data/sig/atproto_auth/identity/resolver.rbs +41 -0
data/sig/atproto_auth/par/client.rbs +31 -0
data/sig/atproto_auth/par/request.rbs +73 -0
data/sig/atproto_auth/par/response.rbs +17 -0
data/sig/atproto_auth/pkce.rbs +24 -0
data/sig/atproto_auth/server_metadata/authorization_server.rbs +69 -0
data/sig/atproto_auth/server_metadata/origin_url.rbs +21 -0
data/sig/atproto_auth/server_metadata/resource_server.rbs +27 -0
data/sig/atproto_auth/state/session.rbs +50 -0
data/sig/atproto_auth/state/session_manager.rbs +26 -0
data/sig/atproto_auth/state/token_set.rbs +40 -0
data/sig/atproto_auth/version.rbs +3 -0
data/sig/atproto_auth.rbs +39 -0
metadata +142 -0

data/examples/confidential_client/public/styles.css ADDED Viewed

@@ -0,0 +1,70 @@
+.container {
+    max-width: 800px;
+    margin: 0 auto;
+    padding: 20px;
+}
+.header {
+    max-width: 400px;
+    margin: 0 auto;
+}
+.error {
+    background-color: #ffebee;
+    color: #c62828;
+    padding: 10px;
+    margin-bottom: 20px;
+    border-radius: 4px;
+}
+.auth-form {
+    max-width: 400px;
+    margin: 40px auto;
+}
+.form-group {
+    margin-bottom: 15px;
+}
+.form-group label {
+    display: block;
+    margin-bottom: 5px;
+}
+.form-group input {
+    width: 100%;
+    padding: 8px;
+    border: 1px solid #ddd;
+    border-radius: 4px;
+}
+button {
+    background: #2196f3;
+    color: white;
+    padding: 10px 20px;
+    border: none;
+    border-radius: 4px;
+    cursor: pointer;
+}
+button:hover {
+    background: #1976d2;
+}
+.token-info,
+.api-test {
+    margin-top: 20px;
+    padding: 15px;
+    background: #f5f5f5;
+    border-radius: 4px;
+}
+pre {
+    overflow-x: auto;
+    white-space: pre-wrap;
+    word-wrap: break-word;
+}
+code {
+    font-size: 14px;
+}

data/examples/confidential_client/scripts/generate_keys.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+require "jose"
+# Generate a new EC key using P-256 curve
+keypair = JOSE::JWK.generate_key([:ec, "P-256"])
+# Get the key as a hash (need to convert from JOSE::Map)
+jwk = keypair.to_map.to_h
+# Pretty print the JWK to stdout
+require "json"
+puts JSON.pretty_generate({
+                            keys: [jwk]
+                          })

data/examples/confidential_client/views/authorized.erb ADDED Viewed

@@ -0,0 +1,29 @@
+<div class="flex flex-col items-center md:flex md:flex-row md:justify-stretch md:items-center min-h-screen min-w-screen bg-white text-gray-900 dark:bg-gray-900 dark:text-gray-100">
+  <div class="px-6 pt-4 md:max-w-lg md:grid md:content-center md:justify-items-end md:self-stretch md:w-1/2 md:max-w-fix md:p-4 md:text-right md:dark:border-r md:dark:border-gray-700 md:bg-gray-100 md:dark:bg-gray-800">
+    <h1 class="text-xl md:text-2xl lg:text-5xl md:mt-4 mb-4 font-semibold text-brand">Successfully Authenticated!</h1>
+  </div>
+  <div class="w-full px-6 md:max-w-3xl md:px-12">
+    <div class="space-y-8">
+      <% if session[:error] %>
+        <div class="mb-8 bg-red-50 border-red-700 text-red-700 p-4 rounded-md">
+          <%= session[:error] %>
+          <% session[:error] = nil %>
+        </div>
+      <% end %>
+      <div class="token-info">
+        <p class="mb-1 text-gray-600 dark:text-gray-400 text-sm font-medium">Token Information</p>
+        <pre class="rounded-lg text-gray-700 dark:text-gray-100 bg-gray-100 dark:bg-slate-800 border border-gray-400 p-2 overflow-auto"><code><%= JSON.pretty_generate(session[:tokens]) %></code></pre>
+      </div>
+      <div class="api-test">
+        <p class="mb-1 text-gray-600 dark:text-gray-400 text-sm font-medium">Test API Call Result</p>
+        <pre class="rounded-lg text-gray-700 dark:text-gray-100 bg-gray-100 dark:bg-slate-800 border border-gray-400 p-2 overflow-auto"><code><%= JSON.pretty_generate(@api_result) %></code></pre>
+      </div>
+      <div class="flex">
+        <a href="/signout" aria-label="Signout" class="py-2 px-6 rounded-lg truncate cursor-pointer touch-manipulation tracking-wide overflow-hidden bg-blue-400 text-white">Sign out</a>
+      </div>
+    </div>
+  </div>
+</div>

data/examples/confidential_client/views/index.erb ADDED Viewed

@@ -0,0 +1,44 @@
+<div class="flex flex-col items-center md:flex md:flex-row md:justify-stretch md:items-center min-h-screen min-w-screen bg-white text-gray-900 dark:bg-gray-900 dark:text-gray-100">
+  <div class="px-6 pt-4 md:max-w-lg md:grid md:content-center md:justify-items-end md:self-stretch md:w-1/2 md:max-w-fix md:p-4 md:text-right md:dark:border-r md:dark:border-gray-700 md:bg-gray-100 md:dark:bg-gray-800">
+    <h1 class="text-xl md:text-2xl lg:text-5xl md:mt-4 mb-4 font-semibold text-brand">Sign in</h1>
+    <p class="hidden md:block max-w-xs text-gray-500 dark:text-gray-500">Enter your AT Protocol handle</p>
+  </div>
+  <div class="w-full px-6 md:max-w-3xl md:px-12">
+    <form method="post" action="/auth" class="flex flex-col py-4 space-y-4">
+      <div class="space-y-4">
+        <% if session[:error] %>
+          <div class="mb-8 bg-red-50 border-red-700 text-red-700 p-4 rounded-md">
+            <%= session[:error] %>
+            <% session[:error] = nil %>
+          </div>
+        <% end %>
+        <% if session[:notice] %>
+          <div class="mb-8 bg-yellow-50 border-yellow-700 text-yellow-700 p-4 rounded-md">
+            <%= session[:notice] %>
+            <% session[:notice] = nil %>
+          </div>
+        <% end %>
+        <fieldset>
+          <p class="mb-1 text-gray-600 dark:text-gray-400 text-sm font-medium">Handle</p>
+          <div class="flex flex-col space-y-4">
+            <div class="pl-1 pr-2 min-h-12 flex items-center justify-stretch rounded-lg text-gray-700 dark:text-gray-100 bg-gray-100 has-[:focus]:bg-gray-200 dark:bg-gray-800 dark:has-[:focus]:bg-gray-700 outline-none border-solid border-2 border-transparent hover:border-gray-400 has-[:focus]:border-brand hover:has-[:focus]:border-brand dark:hover:border-gray-500">
+              <div class="self-start shrink-0 grow-0 w-8 h-12 flex items-center justify-center text-gray-500">
+                <div>
+                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" class="w-5">
+                    <path fill="currentColor" fill-rule="evenodd" clip-rule="evenodd" d="M12 4a8 8 0 1 0 4.21 14.804 1 1 0 0 1 1.054 1.7A9.958 9.958 0 0 1 12 22C6.477 22 2 17.523 2 12S6.477 2 12 2s10 4.477 10 10c0 1.104-.27 2.31-.949 3.243-.716.984-1.849 1.6-3.331 1.465a4.207 4.207 0 0 1-2.93-1.585c-.94 1.21-2.388 1.94-3.985 1.715-2.53-.356-4.04-2.91-3.682-5.458.358-2.547 2.514-4.586 5.044-4.23.905.127 1.68.536 2.286 1.126a1 1 0 0 1 1.964.368l-.515 3.545v.002a2.222 2.222 0 0 0 1.999 2.526c.75.068 1.212-.21 1.533-.65.358-.493.566-1.245.566-2.067a8 8 0 0 0-8-8Zm-.112 5.13c-1.195-.168-2.544.819-2.784 2.529-.24 1.71.784 3.03 1.98 3.198 1.195.168 2.543-.819 2.784-2.529.24-1.71-.784-3.03-1.98-3.198Z"></path>
+                  </svg>
+                </div>
+              </div>
+              <div class="relative">
+                <input class="w-full bg-transparent bg-clip-padding text-base text-inherit outline-none dark:placeholder-gray-500" name="handle" type="text" placeholder="handle.bsky.social" aria-label="Handle" autocapitalize="none" autocorrect="off" autocomplete="username" spellcheck="false" dir="auto" enterkeyhint="next" required title="valid handle">
+              </div>
+            </div>
+          </div>
+        </fieldset>
+      </div>
+      <div class="pt-4">
+        <button role="Button" type="submit" aria-label="Next" class="py-2 px-6 rounded-lg truncate cursor-pointer touch-manipulation tracking-wide overflow-hidden bg-blue-400 text-white">Next</button>
+      </div>
+    </form>
+  </div>
+</div>

data/examples/confidential_client/views/layout.erb ADDED Viewed

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>AT Protocol OAuth Example</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <script src="https://cdn.tailwindcss.com"></script>
+</head>
+<body>
+<%= yield %>
+</body>
+</html>

data/lib/atproto_auth/client.rb ADDED Viewed

@@ -0,0 +1,410 @@
+# frozen_string_literal: true
+# rubocop:disable Metrics/PerceivedComplexity, Metrics/AbcSize, Metrics/CyclomaticComplexity
+module AtprotoAuth
+  # Main client class for AT Protocol OAuth implementation. Handles the complete
+  # OAuth flow including authorization, token management, and identity verification.
+  class Client
+    # Error raised when authorization callback fails
+    class CallbackError < Error; end
+    # Error raised when token operations fail
+    class TokenError < Error; end
+    # @return [String] OAuth client ID
+    attr_reader :client_id
+    # @return [String] OAuth redirect URI
+    attr_reader :redirect_uri
+    # @return [ClientMetadata] Validated client metadata
+    attr_reader :client_metadata
+    # @return [SessionManager] Session state manager
+    attr_reader :session_manager
+    # @return [Identity::Resolver] Identity resolver
+    attr_reader :identity_resolver
+    # @return [DPoP::Client] DPoP client
+    attr_reader :dpop_client
+    # Creates a new AT Protocol OAuth client
+    # @param client_id [String] OAuth client ID URL
+    # @param redirect_uri [String] OAuth redirect URI
+    # @param metadata [Hash, nil] Optional pre-loaded client metadata
+    # @param dpop_key [Hash, nil] Optional existing DPoP key in JWK format
+    # @raise [Error] if configuration is invalid
+    def initialize(client_id:, redirect_uri:, metadata: nil, dpop_key: nil)
+      @client_id = client_id
+      @redirect_uri = redirect_uri
+      # Initialize core dependencies
+      @client_metadata = load_client_metadata(metadata)
+      validate_redirect_uri!
+      @session_manager = State::SessionManager.new
+      @identity_resolver = Identity::Resolver.new
+      @dpop_client = initialize_dpop(dpop_key)
+    end
+    # Begins an authorization flow and generates authorization URL
+    # @param handle [String, nil] Optional user handle
+    # @param pds_url [String, nil] Optional PDS URL
+    # @param scope [String] OAuth scope (must include "atproto")
+    # @return [Hash] Authorization details including :url and :session_id
+    # @raise [Error] if parameters are invalid or resolution fails
+    def authorize(handle: nil, pds_url: nil, scope: "atproto")
+      validate_auth_params!(handle, pds_url, scope)
+      # Create new session
+      session = session_manager.create_session(
+        client_id: client_id,
+        scope: scope
+      )
+      # Resolve identity and authorization server if handle provided
+      if handle
+        auth_info = resolve_from_handle(handle, session)
+      elsif pds_url
+        auth_info = resolve_from_pds(pds_url, session)
+      else
+        raise Error, "Either handle or pds_url must be provided"
+      end
+      # Generate authorization URL
+      auth_url = generate_authorization_url(
+        auth_info[:server],
+        session,
+        login_hint: handle
+      )
+      {
+        url: auth_url,
+        session_id: session.session_id
+      }
+    end
+    # Handles the authorization callback and completes token exchange
+    # @param code [String] Authorization code from callback
+    # @param state [String] State parameter from callback
+    # @param iss [String] Issuer from callback (required by AT Protocol OAuth)
+    # @return [Hash] Token response including :access_token and :session_id
+    # @raise [CallbackError] if callback validation fails
+    # @raise [TokenError] if token exchange fails
+    def handle_callback(code:, state:, iss:)
+      # Find and validate session
+      session = session_manager.get_session_by_state(state)
+      raise CallbackError, "Invalid state parameter" unless session
+      # Verify issuer matches session
+      raise CallbackError, "Issuer mismatch" unless session.auth_server && session.auth_server.issuer == iss
+      # Exchange code for tokens
+      token_response = exchange_code(
+        code: code,
+        session: session
+      )
+      # Validate token response
+      validate_token_response!(token_response, session)
+      # Create token set and store in session
+      token_set = State::TokenSet.new(
+        access_token: token_response["access_token"],
+        token_type: token_response["token_type"],
+        expires_in: token_response["expires_in"],
+        refresh_token: token_response["refresh_token"],
+        scope: token_response["scope"],
+        sub: token_response["sub"]
+      )
+      session.tokens = token_set
+      {
+        access_token: token_set.access_token,
+        token_type: token_set.token_type,
+        expires_in: (token_set.expires_at - Time.now).to_i,
+        refresh_token: token_set.refresh_token,
+        scope: token_set.scope,
+        session_id: session.session_id
+      }
+    end
+    # Gets active tokens for a session
+    # @param session_id [String] ID of session to get tokens for
+    # @return [Hash, nil] Current token information if session exists and is authorized
+    def get_tokens(session_id)
+      session = session_manager.get_session(session_id)
+      return nil unless session&.authorized?
+      {
+        access_token: session.tokens.access_token,
+        token_type: session.tokens.token_type,
+        expires_in: (session.tokens.expires_at - Time.now).to_i,
+        refresh_token: session.tokens.refresh_token,
+        scope: session.tokens.scope
+      }
+    end
+    # Checks if a session has valid tokens
+    # @param session_id [String] ID of session to check
+    # @return [Boolean] true if session exists and has valid tokens
+    def authorized?(session_id)
+      session = session_manager.get_session(session_id)
+      session&.authorized? || false
+    end
+    # Generates headers for an authenticated request
+    # @param session_id [String] ID of session to use
+    # @param method [String] HTTP method for the request
+    # @param url [String] Full URL for the request
+    # @return [Hash] Headers to add to request
+    # @raise [TokenError] if session is invalid or unauthorized
+    def auth_headers(session_id:, method:, url:)
+      session = session_manager.get_session(session_id)
+      raise TokenError, "Invalid session" unless session
+      raise TokenError, "Session not authorized" unless session.authorized?
+      # Generate DPoP proof
+      proof = dpop_client.generate_proof(
+        http_method: method,
+        http_uri: url,
+        access_token: session.tokens.access_token
+      )
+      {
+        "Authorization" => "DPoP #{session.tokens.access_token}",
+        "DPoP" => proof
+      }
+    end
+    private
+    def load_client_metadata(metadata)
+      if metadata
+        ClientMetadata.new(metadata)
+      else
+        ClientMetadata.from_url(@client_id)
+      end
+    end
+    def validate_redirect_uri!
+      valid = @client_metadata.redirect_uris.include?(@redirect_uri)
+      raise Error, "redirect_uri not found in client metadata" unless valid
+    end
+    def initialize_dpop(key)
+      key_manager = if key
+                      DPoP::KeyManager.from_jwk(key)
+                    else
+                      DPoP::KeyManager.new
+                    end
+      DPoP::Client.new(key_manager: key_manager)
+    end
+    def validate_auth_params!(handle, pds_url, scope)
+      raise Error, "scope must include 'atproto'" unless scope.split.include?("atproto")
+      raise Error, "handle or pds_url must be provided" if handle.nil? && pds_url.nil?
+      raise Error, "cannot provide both handle and pds_url" if handle && pds_url
+    end
+    def resolve_from_handle(handle, session)
+      # Resolve handle to DID document
+      resolution = @identity_resolver.resolve_handle(handle)
+      session.did = resolution[:did]
+      # Get authorization server from PDS
+      server = resolve_auth_server(resolution[:pds])
+      session.authorization_server = server
+      { server: server, pds: resolution[:pds] }
+    end
+    def resolve_from_pds(pds_url, session)
+      # Get authorization server from PDS
+      server = resolve_auth_server(pds_url)
+      session.authorization_server = server
+      { server: server, pds: pds_url }
+    end
+    def resolve_auth_server(pds_url)
+      # Get resource server metadata
+      resource_server = ServerMetadata::ResourceServer.from_url(pds_url)
+      auth_server_url = resource_server.authorization_servers.first
+      # Get and validate authorization server metadata
+      ServerMetadata::AuthorizationServer.from_issuer(auth_server_url)
+    end
+    def generate_authorization_url(auth_server, session, login_hint: nil)
+      # Create PAR client
+      par_client = PAR::Client.new(
+        endpoint: auth_server.pushed_authorization_request_endpoint,
+        dpop_client: @dpop_client
+      )
+      signing_key = if client_metadata.jwks && !client_metadata.jwks["keys"].empty?
+                      key_data = client_metadata.jwks["keys"].first
+                      JOSE::JWK.from_map(key_data)
+                    else
+                      JOSE::JWK.generate_key([:ec, "P-256"])
+                    end
+      client_assertion = PAR::ClientAssertion.new(
+        client_id: client_id,
+        signing_key: signing_key
+      )
+      # Build PAR request
+      par_request = PAR::Request.build do |config|
+        config.client_id = client_id
+        config.redirect_uri = redirect_uri
+        config.state = session.state_token
+        config.scope = session.scope
+        config.login_hint = login_hint if login_hint
+        # Add PKCE parameters
+        config.code_challenge = session.pkce_challenge
+        config.code_challenge_method = "S256"
+        # Add client assertion
+        config.client_assertion = client_assertion.generate_jwt(
+          audience: auth_server.issuer
+        )
+        config.client_assertion_type = PAR::CLIENT_ASSERTION_TYPE
+        # Add DPoP proof
+        proof = @dpop_client.generate_proof(
+          http_method: "POST",
+          http_uri: auth_server.pushed_authorization_request_endpoint
+        )
+        config.dpop_proof = proof
+      end
+      # Submit PAR request
+      response = par_client.submit(par_request)
+      # Build final authorization URL
+      par_client.authorization_url(
+        authorize_endpoint: auth_server.authorization_endpoint,
+        request_uri: response.request_uri,
+        client_id: client_id
+      )
+    end
+    def exchange_code(code:, session:)
+      # Initial token request without nonce
+      response = make_token_request(code, session)
+      # Handle DPoP nonce requirement
+      if requires_dpop_nonce?(response)
+        puts "*" * 88
+        puts "requires_dpop_nonce"
+        # Extract and store nonce from error response
+        extract_dpop_nonce(response)
+        dpop_client.process_response(response[:headers], session.auth_server.issuer)
+        # Retry request with nonce
+        response = make_token_request(code, session)
+      end
+      raise TokenError, "Token request failed: #{response[:status]}" unless response[:status] == 200
+      begin
+        JSON.parse(response[:body])
+      rescue JSON::ParserError => e
+        raise TokenError, "Invalid token response: #{e.message}"
+      end
+    end
+    def make_token_request(code, session)
+      # Generate proof
+      proof = dpop_client.generate_proof(
+        http_method: "POST",
+        http_uri: session.auth_server.token_endpoint
+      )
+      # Log the DPoP proof details
+      AtprotoAuth.configuration.logger.debug "Token Request DPoP Proof:"
+      AtprotoAuth.configuration.logger.debug "- Key: #{dpop_client.public_key}"
+      AtprotoAuth.configuration.logger.debug "- Proof: #{proof}"
+      body = {
+        grant_type: "authorization_code",
+        code: code,
+        redirect_uri: redirect_uri,
+        client_id: client_id,
+        code_verifier: session.pkce_verifier
+      }
+      # Add client authentication
+      if client_metadata.confidential?
+        signing_key = JOSE::JWK.from_map(client_metadata.jwks["keys"].first)
+        client_assertion = PAR::ClientAssertion.new(
+          client_id: client_id,
+          signing_key: signing_key
+        )
+        body.merge!(
+          client_assertion_type: PAR::CLIENT_ASSERTION_TYPE,
+          client_assertion: client_assertion.generate_jwt(
+            audience: session.auth_server.issuer
+          )
+        )
+      end
+      AtprotoAuth.configuration.http_client.post(
+        session.auth_server.token_endpoint,
+        body: body,
+        headers: {
+          "Content-Type" => "application/x-www-form-urlencoded",
+          "DPoP" => proof
+        }
+      )
+    end
+    def requires_dpop_nonce?(response)
+      return false unless response[:status] == 400
+      error_data = JSON.parse(response[:body])
+      error_data["error"] == "use_dpop_nonce"
+    rescue JSON::ParserError
+      false
+    end
+    def extract_dpop_nonce(response)
+      headers = response[:headers]
+      nonce = headers["DPoP-Nonce"] ||
+              headers["dpop-nonce"] ||
+              headers["Dpop-Nonce"]
+      raise TokenError, "No DPoP nonce provided in error response" unless nonce
+      nonce
+    end
+    def validate_token_response!(response, session)
+      # Required fields
+      %w[access_token token_type expires_in scope sub].each do |field|
+        raise TokenError, "Missing #{field} in token response" unless response[field]
+      end
+      # Token type must be DPoP
+      raise TokenError, "Invalid token_type: #{response["token_type"]}" unless response["token_type"] == "DPoP"
+      # Scope must include atproto
+      raise TokenError, "Missing atproto scope in token response" unless response["scope"].split.include?("atproto")
+      # If we have a pre-resolved DID, verify it matches
+      raise TokenError, "Subject mismatch in token response" if session.did && session.did != response["sub"]
+      # Process DPoP-Nonce from response headers if present
+      return unless response[:headers] && response[:headers]["DPoP-Nonce"]
+      dpop_client.process_response(
+        response[:headers],
+        session.auth_server.issuer
+      )
+    end
+  end
+end
+# rubocop:enable Metrics/PerceivedComplexity, Metrics/AbcSize, Metrics/CyclomaticComplexity