A GenServer which periodically removes expired OAuth2 authorization codes and refresh tokens.

Scans all resources extended with either AshAuthentication.Oauth2Server.AuthorizationCodeResource or AshAuthentication.Oauth2Server.RefreshTokenResource and, on each resource's configured expunge_interval (hours), runs that resource's :expunge_expired destroy action.

Multitenancy

For resources using strategy :context multitenancy (and not global? true), Ash refuses tenant-less destroys, and a single tenant-less call could not reach rows that live in separate tenant schemas anyway. Pass :list_tenants (via the Supervisor) so the expunger fans out one destroy per tenant per resource:

{AshAuthentication.Oauth2Server.Supervisor,
  otp_app: :my_app,
  list_tenants: {MyApp.Repo, :all_tenants, []}}

list_tenants accepts a static list, a 0-arity function, or an {module, function, args} tuple. Default: [nil] — a single tenant-less pass, which is correct for apps with no multitenancy or with strategy :attribute, global? true.

Started for you by AshAuthentication.Oauth2Server.Supervisor — you should not need to start this yourself.