diff options
| author | mo khan <mo@mokhan.ca> | 2025-06-06 15:49:19 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-06-06 15:49:19 -0600 |
| commit | 14c7a0e3ebf77451662bbbac1915facdec0bca3f (patch) | |
| tree | 9473c21c06d425be2395398ec2a851c695c92a79 /CLAUDE.md | |
| parent | 463c259bd41f20d5811b028e8045f3de3effe097 (diff) | |
refactor: try vibe coding with claude
Diffstat (limited to 'CLAUDE.md')
| -rw-r--r-- | CLAUDE.md | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..7803849 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,52 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Project Overview + +This is an RFC-compliant OAuth2 Security Token Service (STS) implementation written in Rust. The project provides a complete OAuth2 authorization server with JWT token generation, supporting the authorization code flow. + +## Common Commands + +- **Build**: `cargo build` +- **Run**: `cargo run` +- **Test**: `cargo test` +- **Check**: `cargo check` + +## Architecture + +The application implements a full OAuth2 authorization server with the following components: + +- **Main entry point** (`src/main.rs`): Reads `BIND_ADDR` environment variable (defaults to `127.0.0.1:7878`) and starts the server +- **HTTP module** (`src/lib.rs`): Contains the core server and OAuth2 implementation: + - `Server` struct that handles TCP connections and HTTP routing + - `OAuthServer` struct that implements RFC-compliant OAuth2 flows + - JWT token generation and validation using HS256 + - Authorization code storage and management + - RFC-compliant error responses + +## OAuth2 Endpoints + +- `GET /.well-known/oauth-authorization-server` → OAuth2 authorization server metadata (RFC 8414) +- `GET /authorize` → Authorization endpoint for the authorization code flow +- `POST /token` → Token endpoint to exchange authorization codes for access tokens +- `GET /jwks` → JSON Web Key Set endpoint (currently returns empty set) + +## Supported OAuth2 Features + +- **Grant Types**: Authorization Code +- **Response Types**: code +- **Token Types**: JWT Bearer tokens +- **Scopes**: openid, profile, email +- **Client Authentication**: client_secret_basic, client_secret_post + +## Configuration + +- **BIND_ADDR**: Server bind address (default: `127.0.0.1:7878`) +- **JWT Secret**: Hardcoded in development (should be configurable in production) + +## Security Notes + +- Authorization codes expire after 10 minutes +- Access tokens expire after 1 hour +- In production, replace hardcoded JWT secret with secure key management
\ No newline at end of file |