Minor Changes
-
Added
createAtmosphereAuthProvider(options)to support atproto OAuth flows against Atmosphere-compatible authorization servers.The new provider resolves handles and DIDs with
provider.prepare(handleOrDid)before redirecting, performs required pushed authorization requests with DPoP, supports both public web clients and localhost loopback development clients, and seals per-session DPoP state into the in-flight OAuth transaction using the requiredsessionSecretoption instead of a separate persistent store.Create the Atmosphere provider once with shared options, call
provider.prepare(handleOrDid)only beforestartExternalAuth(), and pass the module-scope provider directly tofinishExternalAuth()andrefreshExternalAuth(). Atmosphere callback results preserve the DPoP binding state and authorization server refresh details alongside the returnedaccessTokenandrefreshToken, so callers can reuse the completed token bundle directly for refresh-token exchange and follow-up DPoP-signed requests. -
Added
refreshExternalAuth()to@remix-run/authso apps can exchange stored refresh tokens for fresh OAuth and OIDC token bundles.The built-in OIDC providers, X, and Atmosphere now implement refresh-token exchange. Refreshed token bundles preserve the existing refresh token when the provider omits a rotated value.