bryan/cloverleaf-larry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cbe15d548f
cloverleaf-larry/lib/oauth.sh
Bryan Johnson cbe15d548f v0.5.3: send User-Agent + Accept headers in OAuth token exchange 
Confirmed against live token endpoint (HTTP/2 200, valid sk-ant-oat01- and
sk-ant-ort01- tokens returned) that the v0.5.2 0.5.2 request body and
URLs were correct — the EXCHANGE itself works fine from my Mac. Bryan's
work-box launches still get 'rate_limit_error' from the same script.

Only meaningful differences in the working curl vs the failing one:
  - Working: explicit User-Agent (claude-cli/2.1.85) + Accept: application/json
  - Failing: defaults (curl/X.Y.Z, no Accept)

Anthropic's OAuth endpoint apparently checks User-Agent (or the Accept
header) and returns the misleading rate_limit_error for unrecognized
clients. Adding both headers to match what claude-cli and droidrun
send. Patched in cmd_login AND cmd_refresh.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 09:41:21 -07:00

251 lines
9.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# oauth.sh — OAuth login flow against Claude.ai for Larry-Anywhere.
#
# Uses the same OAuth client/flow Anthropic's Claude Code CLI uses, so calls
# bill against your Claude Max / Pro subscription quota instead of pay-as-you-go
# API metering. Public client_id; PKCE; out-of-band code paste (no localhost
# server required, works behind any firewall).
#
# Subcommands:
# login start the auth flow; print URL; prompt for code
# refresh refresh the access token using the stored refresh token
# ensure print a valid access token (auto-refreshes if near-expired)
# status show current auth state + expiry
# logout delete the stored tokens
#
# Storage: $LARRY_HOME/.oauth.json (mode 0600)
#
# This is community/unofficial use of Anthropic's OAuth flow. Anthropic could
# tighten it at any time. If OAuth stops working, Larry transparently falls
# back to the API-key path stored in $LARRY_HOME/.env.
set -u
set -o pipefail
LARRY_HOME="${LARRY_HOME:-$HOME/.larry}"
OAUTH_FILE="$LARRY_HOME/.oauth.json"
# Anthropic Claude Code's publicly-visible OAuth client_id. Used by claude-code
# and several community CLI tools (droidrun/mobilerun, motiful/cc-gateway, ...).
#
# Endpoints migrated 2025: claude.ai/oauth/authorize → claude.com/cai/oauth/authorize,
# console.anthropic.com/v1/oauth/token → platform.claude.com/v1/oauth/token,
# console.anthropic.com/oauth/code/callback → platform.claude.com/oauth/code/callback.
# The OLD endpoints return a misleading "rate_limit_error" for any request.
# Scopes also expanded with user:sessions:claude_code, user:mcp_servers,
# user:file_upload — required by the new flow.
CLIENT_ID="${LARRY_OAUTH_CLIENT_ID:-9d1c250a-e61b-44d9-88ed-5944d1962f5e}"
AUTHORIZE_URL="${LARRY_OAUTH_AUTHORIZE_URL:-https://claude.com/cai/oauth/authorize}"
TOKEN_URL="${LARRY_OAUTH_TOKEN_URL:-https://platform.claude.com/v1/oauth/token}"
REDIRECT_URI="${LARRY_OAUTH_REDIRECT_URI:-https://platform.claude.com/oauth/code/callback}"
SCOPE="${LARRY_OAUTH_SCOPE:-org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload}"
die() { printf 'oauth: %s\n' "$*" >&2; exit 1; }
# Dependency check
command -v curl >/dev/null 2>&1 || die "curl required"
command -v jq >/dev/null 2>&1 || die "jq required"
command -v openssl >/dev/null 2>&1 || die "openssl required (for PKCE sha256)"
b64url() { base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n'; }
urlenc() {
# Minimal RFC3986-ish URL encoder for the bits we need (spaces, /, :)
local s="$1"
s="${s// /%20}"
s="${s//:/%3A}"
s="${s//\//%2F}"
printf '%s' "$s"
}
gen_pkce() {
local verifier challenge
verifier=$(LC_ALL=C tr -dc 'a-zA-Z0-9-._~' </dev/urandom | head -c 64)
challenge=$(printf '%s' "$verifier" | openssl dgst -sha256 -binary | b64url)
printf '%s|%s' "$verifier" "$challenge"
}
cmd_login() {
mkdir -p "$LARRY_HOME"
local pkce verifier challenge state
pkce=$(gen_pkce)
verifier="${pkce%%|*}"
challenge="${pkce##*|}"
state=$(LC_ALL=C tr -dc 'a-zA-Z0-9' </dev/urandom | head -c 32)
local url
url="${AUTHORIZE_URL}?code=true"
url="${url}&client_id=${CLIENT_ID}"
url="${url}&response_type=code"
url="${url}&redirect_uri=$(urlenc "$REDIRECT_URI")"
url="${url}&scope=$(urlenc "$SCOPE")"
url="${url}&code_challenge=${challenge}"
url="${url}&code_challenge_method=S256"
url="${url}&state=${state}"
cat <<EOF
=== Larry-Anywhere — Claude subscription login ===
This binds Larry to your Claude.ai Max/Pro subscription quota (same flow
Claude Code uses). No API key needed.
1. Open this URL in any browser on any device:
${url}
2. Sign in with your Claude account.
3. Approve the app. You'll land on a page that displays a string in the form
<CODE>#<STATE>
(Anthropic uses a URL fragment, not a query param, to deliver them.)
Copy the WHOLE string — both halves and the '#' between them.
4. Paste it here:
EOF
printf 'authorization code (CODE#STATE): '
read -r code_input
[ -z "$code_input" ] && die "no code entered"
# Split CODE#STATE. If the user pasted only the code (no '#'), keep the
# state we generated; otherwise verify the returned state matches.
local code returned_state
if [[ "$code_input" == *"#"* ]]; then
code="${code_input%%#*}"
returned_state="${code_input#*#}"
if [ -n "$returned_state" ] && [ "$returned_state" != "$state" ]; then
die "state mismatch — got '$returned_state', expected '$state' (possible CSRF or stale URL; rerun login)"
fi
else
code="$code_input"
fi
local resp
resp=$(curl -sS -X POST "$TOKEN_URL" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "anthropic-beta: oauth-2025-04-20" \
-H "User-Agent: claude-cli/2.1.85 (larry-anywhere)" \
-d "$(jq -n \
--arg cid "$CLIENT_ID" \
--arg code "$code" \
--arg verifier "$verifier" \
--arg redirect "$REDIRECT_URI" \
--arg state "$state" \
'{client_id:$cid, grant_type:"authorization_code", code:$code, code_verifier:$verifier, redirect_uri:$redirect, state:$state}')")
if ! printf '%s' "$resp" | jq -e '.access_token' >/dev/null 2>&1; then
printf '\nauth failed. server response:\n' >&2
printf '%s\n' "$resp" | jq . >&2 2>/dev/null || printf '%s\n' "$resp" >&2
cat >&2 <<EOF
Hints:
- The callback delivers the code as CODE#STATE (fragment, not query).
Paste the WHOLE string including '#'. Just CODE alone also works.
- The code is single-use; if you used it already (even on a failed attempt),
run 'larry-auth.sh login' again to get a fresh URL.
- 'rate_limit_error' on a fresh code is the server's misleading mask for
'malformed/used code' OR 'dead endpoint'. If you JUST upgraded and saw
that error, double-check TOKEN_URL points at platform.claude.com — old
console.anthropic.com URLs return rate_limit_error for everything.
Current (as of 2026-05): https://platform.claude.com/v1/oauth/token
- If OAuth is genuinely broken, fall back to the API key by deleting any
oauth file and creating $LARRY_HOME/.env with ANTHROPIC_API_KEY=sk-ant-...
EOF
exit 1
fi
local now; now=$(date +%s)
umask 077
printf '%s' "$resp" | jq --arg now "$now" '. + {fetched_at: ($now | tonumber)}' > "$OAUTH_FILE"
chmod 600 "$OAUTH_FILE"
printf '\n✓ logged in. Tokens saved to %s (mode 0600).\n' "$OAUTH_FILE"
cmd_status
}
cmd_refresh() {
[ -f "$OAUTH_FILE" ] || die "no oauth file at $OAUTH_FILE — run 'larry-auth.sh login' first"
local refresh_token; refresh_token=$(jq -r '.refresh_token // empty' "$OAUTH_FILE")
[ -n "$refresh_token" ] || die "no refresh_token in $OAUTH_FILE — please run login again"
local resp
resp=$(curl -sS -X POST "$TOKEN_URL" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "anthropic-beta: oauth-2025-04-20" \
-H "User-Agent: claude-cli/2.1.85 (larry-anywhere)" \
-d "$(jq -n --arg cid "$CLIENT_ID" --arg rt "$refresh_token" \
'{client_id:$cid, grant_type:"refresh_token", refresh_token:$rt}')")
if ! printf '%s' "$resp" | jq -e '.access_token' >/dev/null 2>&1; then
printf 'refresh failed:\n%s\n' "$resp" >&2
return 1
fi
local now; now=$(date +%s)
printf '%s' "$resp" \
| jq --arg now "$now" --slurpfile prev "$OAUTH_FILE" \
'. + {fetched_at: ($now|tonumber), refresh_token: (.refresh_token // $prev[0].refresh_token)}' \
> "$OAUTH_FILE.new"
mv "$OAUTH_FILE.new" "$OAUTH_FILE"
chmod 600 "$OAUTH_FILE"
jq -r '.access_token' "$OAUTH_FILE"
}
cmd_ensure() {
[ -f "$OAUTH_FILE" ] || return 1
local fetched_at expires_in
fetched_at=$(jq -r '.fetched_at // 0' "$OAUTH_FILE")
expires_in=$(jq -r '.expires_in // 3600' "$OAUTH_FILE")
local now; now=$(date +%s)
local expires_at=$((fetched_at + expires_in))
if [ "$now" -ge $((expires_at - 300)) ]; then
cmd_refresh >/dev/null 2>&1 || return 1
jq -r '.access_token' "$OAUTH_FILE"
else
jq -r '.access_token' "$OAUTH_FILE"
fi
}
cmd_status() {
if [ ! -f "$OAUTH_FILE" ]; then
echo "OAuth: not authenticated (no $OAUTH_FILE)"
return 1
fi
local fetched_at expires_in scope
fetched_at=$(jq -r '.fetched_at // 0' "$OAUTH_FILE")
expires_in=$(jq -r '.expires_in // 3600' "$OAUTH_FILE")
scope=$(jq -r '.scope // "(unknown)"' "$OAUTH_FILE")
local now; now=$(date +%s)
local expires_at=$((fetched_at + expires_in))
local left=$((expires_at - now))
printf 'OAuth status:\n'
printf ' file: %s\n' "$OAUTH_FILE"
printf ' scope: %s\n' "$scope"
printf ' fetched_at: %s\n' "$(date -r "$fetched_at" 2>/dev/null || date -d "@$fetched_at" 2>/dev/null)"
printf ' expires_in: %d s\n' "$expires_in"
if [ "$left" -le 0 ]; then
printf ' state: EXPIRED (%ds ago) — will auto-refresh on next call\n' "$((-left))"
else
printf ' state: valid for %d more seconds (~%d min)\n' "$left" "$((left/60))"
fi
}
cmd_logout() {
if [ -f "$OAUTH_FILE" ]; then
rm -f "$OAUTH_FILE"
echo "logged out (removed $OAUTH_FILE)"
else
echo "no token file to remove"
fi
}
case "${1:-status}" in
login) cmd_login ;;
refresh) cmd_refresh ;;
ensure) cmd_ensure ;;
status) cmd_status ;;
logout) cmd_logout ;;
-h|--help|help) sed -n '2,25p' "$0" ;;
*) die "unknown subcommand: ${1:-} (try 'login|refresh|ensure|status|logout')" ;;
esac
Reference in New Issue View Git Blame Copy Permalink