# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## Project Overview

This is an RFC-compliant OAuth2 Security Token Service (STS) implementation written in Rust. The project provides a complete OAuth2 authorization server with JWT token generation, supporting the authorization code flow.

## Common Commands

- **Build**: `cargo build`
- **Run**: `cargo run`
- **Test**: `cargo test`
- **Check**: `cargo check`

## Architecture

The application implements a full OAuth2 authorization server with the following components:

- **Main entry point** (`src/main.rs`): Reads `BIND_ADDR` environment variable (defaults to `127.0.0.1:7878`) and starts the server
- **HTTP module** (`src/lib.rs`): Contains the core server and OAuth2 implementation:
  - `Server` struct that handles TCP connections and HTTP routing
  - `OAuthServer` struct that implements RFC-compliant OAuth2 flows
  - JWT token generation and validation using HS256
  - Authorization code storage and management
  - RFC-compliant error responses

## OAuth2 Endpoints

- `GET /.well-known/oauth-authorization-server` → OAuth2 authorization server metadata (RFC 8414)
- `GET /authorize` → Authorization endpoint for the authorization code flow
- `POST /token` → Token endpoint to exchange authorization codes for access tokens
- `GET /jwks` → JSON Web Key Set endpoint (currently returns empty set)

## Supported OAuth2 Features

- **Grant Types**: Authorization Code
- **Response Types**: code
- **Token Types**: JWT Bearer tokens
- **Scopes**: openid, profile, email
- **Client Authentication**: client_secret_basic, client_secret_post

## Configuration

- **BIND_ADDR**: Server bind address (default: `127.0.0.1:7878`)
- **JWT Secret**: Hardcoded in development (should be configurable in production)

## Security Notes

- Authorization codes expire after 10 minutes
- Access tokens expire after 1 hour
- In production, replace hardcoded JWT secret with secure key management