Attesto.AuthorizationCode.Grant (Attesto v0.6.10)

Copy Markdown View Source

The validated context a successfully redeemed authorization code yields.

Attesto.AuthorizationCode.redeem/4 returns this struct once the code's expiry, redirect URI, PKCE verifier, and DPoP binding have all checked out. The host reads it to mint the access token (and, if it issues one, the refresh token): subject and scope become the token's sub and scope, dpop_jkt (when present) becomes the access token's cnf.jkt, and claims carries any host context that rode along from the authorization request.

family_id

When the authorization request supplied a :family_id to Attesto.AuthorizationCode.issue/3, it rides through to this struct so the host can mint the refresh-token family with that id. Linking the code to the family it spawns is what lets code-reuse detection revoke the right descendants (OAuth 2.0 Security BCP §4.13): a store that tracks reuse records this family_id at redemption and replays it if the code is presented again. nil when no family id was supplied.

Summary

Types

t()

Types

t()

@type t() :: %Attesto.AuthorizationCode.Grant{
  claims: map(),
  client_id: String.t(),
  dpop_jkt: String.t() | nil,
  family_id: String.t() | nil,
  redirect_uri: String.t(),
  scope: [String.t()],
  subject: String.t()
}