Phoenix-friendly protected-resource authentication.
This plug is a thin integration layer over Attesto.Plug.Authenticate. The
core plug owns the protocol work: parsing Bearer/DPoP credentials, verifying
the JWT access token, enforcing DPoP and mTLS sender-constraint bindings, and
rendering RFC 6750 / RFC 9449 failures. This wrapper derives the core options
from AttestoPhoenix.Config, resolves the verified subject through the
host's :load_principal callback, and assigns neutral values for downstream
Phoenix code.
Defaults:
:claims_key-:attesto_claims:principal_key-:attesto_principal:context_key-:attesto_context
The context assign is a map with :subject, :client_id, :scope, :claims,
:cnf, and :principal. It is deliberately protocol-shaped; application
policy such as accounts, roles, audit actors, and error envelopes belongs in
the host application.