AshAuthentication.Oauth2Server.RefreshTokenResource (ash_authentication_oauth2_server v0.2.1)

Copy Markdown View Source

Resource extension for OAuth 2.1 refresh-token rows.

Verifies, at compile time, that the resource conforms to the contract the Token core depends on for race-safe rotation (writable :id, required attributes, a :rotate action carrying AshAuthentication.Oauth2Server.Changes.RotateRefreshToken).

Adds an auto-generated :expunge_expired destroy action and exposes configuration for the AshAuthentication.Oauth2Server.Expunger GenServer, which periodically removes:

  • rows whose expires_at has passed
  • rows whose revoked_at is older than revoked_grace
  • rows whose rotated_at is older than rotated_grace

Usage

use Ash.Resource,
  extensions: [AshAuthentication.Oauth2Server.RefreshTokenResource],
  ...

oauth2_server do
  expunge_interval 12
  revoked_grace 86_400
  rotated_grace 86_400
end

Removing expired records

Add AshAuthentication.Oauth2Server.Supervisor to your application supervision tree; it starts the expunger which scans on each resource's configured interval.

Summary

Functions

expunge_expired(resource, opts \\ [])

Bulk-destroy refresh-token rows that have expired, or whose revoked_at / rotated_at is older than the configured grace.

oauth2_server(body)

Functions

expunge_expired(resource, opts \\ [])

@spec expunge_expired(
  Ash.Resource.t(),
  keyword()
) :: :ok | {:error, any()}

Bulk-destroy refresh-token rows that have expired, or whose revoked_at / rotated_at is older than the configured grace.

oauth2_server(body)

(macro)