From 14c7a0e3ebf77451662bbbac1915facdec0bca3f Mon Sep 17 00:00:00 2001 From: mo khan Date: Fri, 6 Jun 2025 15:49:19 -0600 Subject: refactor: try vibe coding with claude --- CLAUDE.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 CLAUDE.md (limited to 'CLAUDE.md') diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..7803849 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,52 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Project Overview + +This is an RFC-compliant OAuth2 Security Token Service (STS) implementation written in Rust. The project provides a complete OAuth2 authorization server with JWT token generation, supporting the authorization code flow. + +## Common Commands + +- **Build**: `cargo build` +- **Run**: `cargo run` +- **Test**: `cargo test` +- **Check**: `cargo check` + +## Architecture + +The application implements a full OAuth2 authorization server with the following components: + +- **Main entry point** (`src/main.rs`): Reads `BIND_ADDR` environment variable (defaults to `127.0.0.1:7878`) and starts the server +- **HTTP module** (`src/lib.rs`): Contains the core server and OAuth2 implementation: + - `Server` struct that handles TCP connections and HTTP routing + - `OAuthServer` struct that implements RFC-compliant OAuth2 flows + - JWT token generation and validation using HS256 + - Authorization code storage and management + - RFC-compliant error responses + +## OAuth2 Endpoints + +- `GET /.well-known/oauth-authorization-server` → OAuth2 authorization server metadata (RFC 8414) +- `GET /authorize` → Authorization endpoint for the authorization code flow +- `POST /token` → Token endpoint to exchange authorization codes for access tokens +- `GET /jwks` → JSON Web Key Set endpoint (currently returns empty set) + +## Supported OAuth2 Features + +- **Grant Types**: Authorization Code +- **Response Types**: code +- **Token Types**: JWT Bearer tokens +- **Scopes**: openid, profile, email +- **Client Authentication**: client_secret_basic, client_secret_post + +## Configuration + +- **BIND_ADDR**: Server bind address (default: `127.0.0.1:7878`) +- **JWT Secret**: Hardcoded in development (should be configurable in production) + +## Security Notes + +- Authorization codes expire after 10 minutes +- Access tokens expire after 1 hour +- In production, replace hardcoded JWT secret with secure key management \ No newline at end of file -- cgit v1.2.3