# Attesto v0.5.0 - Table of Contents

> Vendor-neutral OAuth2/OIDC engine for Elixir with DPoP, mTLS, and PKCE sender-constraint support.

## Pages

- [Attesto](readme.md)

- Changelog
  - [Changelog](changelog.md)

- License
  - [LICENSE](license.md)

## Modules

- [Attesto](Attesto.md): A vendor-neutral OAuth 2.0 / OIDC authorization-server and
resource-server engine.

- Core
  - [Attesto.Config](Attesto.Config.md): Immutable configuration a token operation runs against.
  - [Attesto.PrincipalKind](Attesto.PrincipalKind.md): One kind of subject a token can describe.
  - [Attesto.Token](Attesto.Token.md): Mint and verify RS256 JWT access tokens.

- Grants
  - [Attesto.AuthorizationCode](Attesto.AuthorizationCode.md): RFC 6749 §4.1 authorization-code grant, with mandatory PKCE (RFC 7636,
S256) and optional DPoP binding of the code (RFC 9449 §10).
  - [Attesto.AuthorizationCode.Grant](Attesto.AuthorizationCode.Grant.md): The validated context a successfully redeemed authorization code yields.
  - [Attesto.PKCE](Attesto.PKCE.md): RFC 7636 - Proof Key for Code Exchange (PKCE).
  - [Attesto.RefreshToken](Attesto.RefreshToken.md): Refresh-token issuance and rotation with reuse detection
(RFC 6749 §6 / §10.4, OAuth 2.0 Security BCP).
  - [Attesto.Revocation](Attesto.Revocation.md): RFC 7009 - OAuth 2.0 Token Revocation, for refresh tokens.

- Plugs
  - [Attesto.Plug.Authenticate](Attesto.Plug.Authenticate.md): Authenticate a protected-resource request: verify the access token and,
for a DPoP-bound or mTLS-bound token, the sender-constraint proof.
  - [Attesto.Plug.OAuthError](Attesto.Plug.OAuthError.md): Render the RFC 6750 / RFC 9449 error responses for the Attesto plugs.
  - [Attesto.Plug.RequireScopes](Attesto.Plug.RequireScopes.md): Authorize a request against the scopes on the verified token.

- Stores
  - [Attesto.CodeStore](Attesto.CodeStore.md): Storage seam for authorization codes.
  - [Attesto.CodeStore.ETS](Attesto.CodeStore.ETS.md): Single-node ETS implementation of `Attesto.CodeStore`.
  - [Attesto.DPoP.NonceStore](Attesto.DPoP.NonceStore.md): Storage seam for server-issued DPoP nonces (RFC 9449 §8).
  - [Attesto.DPoP.NonceStore.ETS](Attesto.DPoP.NonceStore.ETS.md): Single-node ETS implementation of `Attesto.DPoP.NonceStore`.
  - [Attesto.RefreshStore](Attesto.RefreshStore.md): Storage seam for refresh tokens, with the atomic primitive that makes
reuse detection possible.
  - [Attesto.RefreshStore.ETS](Attesto.RefreshStore.ETS.md): Single-node ETS implementation of `Attesto.RefreshStore`.

- Sender-constraint
  - [Attesto.DPoP](Attesto.DPoP.md): RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP).
  - [Attesto.DPoP.ReplayCache](Attesto.DPoP.ReplayCache.md): In-memory, TTL-bounded cache of seen DPoP proof `jti` values.
  - [Attesto.MTLS](Attesto.MTLS.md): RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and
Certificate-Bound Access Tokens.

- Scopes
  - [Attesto.Scope](Attesto.Scope.md): Scope grant-form matching for OAuth-style `<resource>.<action>` scopes.

- Metadata
  - [Attesto.Discovery](Attesto.Discovery.md): RFC 8414 - OAuth 2.0 Authorization Server Metadata.
  - [Attesto.JWKS](Attesto.JWKS.md): RFC 7517 - publish the signing keys' public halves as a JWK Set.

- Keys
  - [Attesto.Key](Attesto.Key.md): Pure helpers for working with the RSA signing material as PEM strings.
  - [Attesto.Keystore](Attesto.Keystore.md): The behaviour Attesto uses to obtain signing and verification keys.
  - [Attesto.Keystore.Static](Attesto.Keystore.Static.md): A simple `Attesto.Keystore` backed by application configuration.

- Shared
  - [Attesto.ClusterGuard](Attesto.ClusterGuard.md): Refuse to start a per-node ETS store on a clustered BEAM.
  - [Attesto.Secret](Attesto.Secret.md): Generate and hash the opaque secrets that back stateful grants.
  - [Attesto.SecureCompare](Attesto.SecureCompare.md): Constant-time comparison of two binaries.
  - [Attesto.Thumbprint](Attesto.Thumbprint.md): Canonical SHA-256 thumbprint shape, shared across the sender-constraint
schemes.

