Render the RFC 6750 / RFC 9449 error responses for the Attesto plugs.
Translates the verifier's error atoms into the wire responses a protected resource owes a client:
invalid_token(RFC 6750 §3.1) - 401 with aWWW-Authenticatechallenge for the scheme the request used (BearerorDPoP).invalid_dpop_proof(RFC 9449 §7.1) - 401 with aDPoPchallenge, for a DPoP proof that failed verification.use_dpop_nonce(RFC 9449 §8) - 401 with aDPoPchallenge and a freshDPoP-Nonceheader, telling the client to retry with the nonce.insufficient_scope(RFC 6750 §3.1) - 403 naming the required scope.
Each helper sets the status, the WWW-Authenticate header (and
DPoP-Nonce when relevant), writes a small JSON body, and halts the
pipeline. This module is part of the optional Attesto.Plug layer; it
only compiles when Plug is available.
Summary
Functions
Respond 403 insufficient_scope naming the required scope list
(RFC 6750 §3.1). Halts.
Respond 401 with a WWW-Authenticate challenge for scheme carrying
error (an OAuth error code string). Options: :description
(error_description) and :dpop_nonce (sets the DPoP-Nonce header,
for use_dpop_nonce). Halts.
Types
Functions
@spec insufficient_scope(Plug.Conn.t(), [String.t()], scheme()) :: Plug.Conn.t()
Respond 403 insufficient_scope naming the required scope list
(RFC 6750 §3.1). Halts.
@spec unauthorized(Plug.Conn.t(), scheme(), String.t(), keyword()) :: Plug.Conn.t()
Respond 401 with a WWW-Authenticate challenge for scheme carrying
error (an OAuth error code string). Options: :description
(error_description) and :dpop_nonce (sets the DPoP-Nonce header,
for use_dpop_nonce). Halts.