RFC 8414 - OAuth 2.0 Authorization Server Metadata.
Build the JSON document a client fetches from
/.well-known/oauth-authorization-server (or the OIDC
/.well-known/openid-configuration) to discover how to talk to the
issuer: where the token and JWKS endpoints are, which grants and
challenge methods are supported, and which DPoP algorithms the server
accepts.
Attesto fills the fields it can derive or fix by protocol:
issuerandtoken_endpointfrom theAttesto.Config.jwks_uriderived from the issuer (overridable).code_challenge_methods_supportedis["S256"]- Attesto's PKCE is S256 only.dpop_signing_alg_values_supportedfromAttesto.DPoP.allowed_algs/0.grant_types_supporteddefaults to["client_credentials"].
Everything host-specific (the authorization, revocation, introspection,
and registration endpoints; the supported scopes, response types, and
client-authentication methods) is supplied through opts and merged in.
nil opt values are dropped so the document only advertises what the
host actually implements.
The result is a string-keyed map ready to serialise as the endpoint's JSON body.
Summary
Functions
Build the authorization-server metadata document for config.
Functions
@spec metadata( Attesto.Config.t(), keyword() ) :: %{required(String.t()) => term()}
Build the authorization-server metadata document for config.
Options:
:jwks_uri- the full JWKS URL. Defaults to the issuer merged with/.well-known/jwks.json.:grant_types_supported- defaults to["client_credentials"].:authorization_endpoint,:revocation_endpoint,:introspection_endpoint,:registration_endpoint,:userinfo_endpoint- host endpoint URLs, included only if given.:scopes_supported,:response_types_supported,:response_modes_supported,:token_endpoint_auth_methods_supported,:service_documentation,:ui_locales_supported- included only if given.
Any other opt key is ignored.