# ash_authentication_oauth2_server v0.1.1 - Table of Contents

> An OAuth 2.1 authorization server for Ash Framework apps — RFC 7591 dynamic
client registration, PKCE, audience-bound JWTs, refresh-token rotation, and
a built-in consent flow on top of ash_authentication + Phoenix.

## GUIDES

- [Home](readme.md)

- Topics
  - [Reading scopes from an access token](scopes.md)

## Modules

- [AshAuthentication.Oauth2Server](AshAuthentication.Oauth2Server.md): An OAuth 2.1 authorization server, configured per app via a single module.
- [AshAuthentication.Oauth2Server.Authorize](AshAuthentication.Oauth2Server.Authorize.md): Protocol-pure logic for the `/oauth/authorize` endpoint.
- [AshAuthentication.Oauth2Server.Changes.RotateRefreshToken](AshAuthentication.Oauth2Server.Changes.RotateRefreshToken.md): Change that rotates a refresh-token row atomically.
- [AshAuthentication.Oauth2Server.Jwt](AshAuthentication.Oauth2Server.Jwt.md): Mint and verify OAuth 2.1 access tokens.
- [AshAuthentication.Oauth2Server.Metadata](AshAuthentication.Oauth2Server.Metadata.md): Builders for the discovery metadata endpoints.
- [AshAuthentication.Oauth2Server.PKCE](AshAuthentication.Oauth2Server.PKCE.md): PKCE (RFC 7636) S256 helpers.
- [AshAuthentication.Oauth2Server.RefreshTokenResource](AshAuthentication.Oauth2Server.RefreshTokenResource.md): Marker extension for an OAuth 2.1 refresh-token resource.
- [AshAuthentication.Oauth2Server.RefreshTokenResource.Verifier](AshAuthentication.Oauth2Server.RefreshTokenResource.Verifier.md): Verifies the refresh-token resource has the shape the Token core
depends on
- [AshAuthentication.Oauth2Server.Register](AshAuthentication.Oauth2Server.Register.md): Protocol-pure logic for `/oauth/register` (RFC 7591 Dynamic Client
Registration).
- [AshAuthentication.Oauth2Server.Token](AshAuthentication.Oauth2Server.Token.md): Protocol-pure logic for the `/oauth/token` endpoint.
- [AshAuthentication.Phoenix.Oauth2Server.BearerPlug](AshAuthentication.Phoenix.Oauth2Server.BearerPlug.md): Resource-server side bearer token validation.
- [AshAuthentication.Phoenix.Oauth2Server.ConsentRouter](AshAuthentication.Phoenix.Oauth2Server.ConsentRouter.md): Plug router for the human-driven consent step of the OAuth 2.1 flow.
- [AshAuthentication.Phoenix.Oauth2Server.ConsentView](AshAuthentication.Phoenix.Oauth2Server.ConsentView.md): Default HTML consent screen.
- [AshAuthentication.Phoenix.Oauth2Server.Errors](AshAuthentication.Phoenix.Oauth2Server.Errors.md): HTTP error response helpers for OAuth 2.1 / RFC 7591.

- [AshAuthentication.Phoenix.Oauth2Server.ProtocolRouter](AshAuthentication.Phoenix.Oauth2Server.ProtocolRouter.md): Plug router for the client-facing OAuth 2.1 protocol endpoints — anything
called by an external OAuth client without a browser session.
- [AshAuthentication.Phoenix.Oauth2Server.Router](AshAuthentication.Phoenix.Oauth2Server.Router.md): Phoenix router macros for mounting the OAuth 2.1 authorization server.

## Mix Tasks

- [mix ash_authentication_oauth2_server.install](Mix.Tasks.AshAuthenticationOauth2Server.Install.md): Scaffolds an OAuth 2.1 authorization server

