# AttestoPhoenix v0.7.4 - Table of Contents

> Phoenix/Ecto OAuth 2.0 / OIDC authorization server layer over attesto: authorization, token, PAR, revocation, discovery, JWKS, UserInfo, protected-resource plugs, and Ecto-backed token stores.

## Pages

- [AttestoPhoenix](readme.md)

- Guides
  - [Example configurations](examples.md)
  - [Migrating to Attesto from Boruta or a custom OAuth provider](consumer_migration.md)
  - [Issuer, resource, and redirect URL correctness behind a proxy](proxy_canonical_host.md)
  - [DPoP replay and nonce stores in production](replay_nonce_production.md)
  - [Fitting OAuth errors into an existing JSON error envelope](error_envelope.md)

- Notebooks
  - [AttestoPhoenix Live Demo](attesto_phoenix_demo.md)

- Changelog
  - [Changelog](changelog.md)

- License
  - [LICENSE](license.md)

## Modules

- [AttestoPhoenix.AuthorizationServer.PAR](AttestoPhoenix.AuthorizationServer.PAR.md): Pushed Authorization Request storage (RFC 9126), as conn-free core.
- [AttestoPhoenix.AuthorizationServer.PAR.Request](AttestoPhoenix.AuthorizationServer.PAR.Request.md): A parsed Pushed Authorization Request (RFC 9126), all plain data lifted at
the controller edge.
- [AttestoPhoenix.AuthorizationServer.RequestObjectMetadata](AttestoPhoenix.AuthorizationServer.RequestObjectMetadata.md): Conn-free derivation of the signed-request-object (JAR / RFC 9101 §10.5)
discovery metadata shared by the OpenID Provider Metadata document (OpenID
Connect Discovery) and the OAuth 2.0 Authorization Server Metadata document
(RFC 8414).
- [AttestoPhoenix.AuthorizationServer.RequestPolicy](AttestoPhoenix.AuthorizationServer.RequestPolicy.md): Conn-free resolution of the per-request authorization-request validation
policy shared by the authorization endpoint and the PAR endpoint.
- [AttestoPhoenix.AuthorizationServer.SenderConstraint](AttestoPhoenix.AuthorizationServer.SenderConstraint.md): Sender-constraint resolution for the token endpoint (RFC 9449 / RFC 8705),
as conn-free core.
- [AttestoPhoenix.AuthorizationServer.Token](AttestoPhoenix.AuthorizationServer.Token.md): Token-endpoint grant processing (RFC 6749 §3.2), as conn-free core.
- [AttestoPhoenix.AuthorizationServer.Token.Request](AttestoPhoenix.AuthorizationServer.Token.Request.md): A parsed token request, all plain data lifted at the controller edge.
- [AttestoPhoenix.Callback](AttestoPhoenix.Callback.md): Invocation of configured callbacks in the forms accepted throughout the
library.
- [AttestoPhoenix.ClaimsProvider](AttestoPhoenix.ClaimsProvider.md): The host-owned UserInfo claim source (OpenID Connect Core §5).
- [AttestoPhoenix.ClientAuthentication](AttestoPhoenix.ClientAuthentication.md): OAuth 2.0 client authentication (RFC 6749 §2.3), as conn-free core.
- [AttestoPhoenix.ClientAuthentication.Policy](AttestoPhoenix.ClientAuthentication.Policy.md): The per-caller policy for `AttestoPhoenix.ClientAuthentication`.
- [AttestoPhoenix.ClientAuthentication.Result](AttestoPhoenix.ClientAuthentication.Result.md): The authenticated client and how it authenticated.
- [AttestoPhoenix.Controller.AuthorizeController](AttestoPhoenix.Controller.AuthorizeController.md): OAuth 2.0 / OpenID Connect authorization endpoint (RFC 6749 §3.1,
OIDC Core §3.1.2).
- [AttestoPhoenix.Controller.IntrospectionController](AttestoPhoenix.Controller.IntrospectionController.md): `POST /oauth/introspect` - OAuth 2.0 Token Introspection (RFC 7662), with the
signed-JWT response of RFC 9701 (FAPI 2.0 Message Signing §5.5).
- [AttestoPhoenix.Controller.OpenIDConfigurationController](AttestoPhoenix.Controller.OpenIDConfigurationController.md): OpenID Connect Discovery 1.0 - OpenID Provider Metadata endpoint.
- [AttestoPhoenix.Plug.Authenticate](AttestoPhoenix.Plug.Authenticate.md): Phoenix-friendly protected-resource authentication.
- [AttestoPhoenix.Plug.RequireScopes](AttestoPhoenix.Plug.RequireScopes.md): Phoenix alias for `Attesto.Plug.RequireScopes`.

- Setup
  - [AttestoPhoenix](AttestoPhoenix.md): A Phoenix/Ecto OAuth 2.0 / OIDC authorization-server and
resource-server layer built on top of `Attesto`.
  - [AttestoPhoenix.Config](AttestoPhoenix.Config.md): Configuration for the `attesto_phoenix` authorization-server layer.
  - [AttestoPhoenix.Router](AttestoPhoenix.Router.md): Router macro that mounts the authorization-server endpoints.

- Host contracts (behaviours)
  - [AttestoPhoenix.ClientStore](AttestoPhoenix.ClientStore.md): The host-owned OAuth client registry contract (RFC 6749 §2 / §3.1.2).
  - [AttestoPhoenix.ConsentPolicy](AttestoPhoenix.ConsentPolicy.md): The host-owned resource-owner authentication and consent contract
(RFC 6749 §3.1 / §4.1.1, OpenID Connect Core §3.1.2).
  - [AttestoPhoenix.EventSink](AttestoPhoenix.EventSink.md): The host-owned audit/telemetry contract.
  - [AttestoPhoenix.PrincipalStore](AttestoPhoenix.PrincipalStore.md): The host-owned subject/principal contract.
  - [AttestoPhoenix.RegistrationStore](AttestoPhoenix.RegistrationStore.md): The host-owned dynamic client registration persistence contract
(RFC 7591 §3 / RFC 7592 §2).
  - [AttestoPhoenix.ScopePolicy](AttestoPhoenix.ScopePolicy.md): The host-owned scope-authorization contract (RFC 6749 §3.3).

- Controllers
  - [AttestoPhoenix.Controller.DiscoveryController](AttestoPhoenix.Controller.DiscoveryController.md): RFC 8414 - OAuth 2.0 Authorization Server Metadata endpoint.
  - [AttestoPhoenix.Controller.JWKSController](AttestoPhoenix.Controller.JWKSController.md): `GET /.well-known/jwks.json` - the JSON Web Key Set (RFC 7517 §5).
  - [AttestoPhoenix.Controller.PARController](AttestoPhoenix.Controller.PARController.md): Pushed Authorization Request endpoint (RFC 9126).
  - [AttestoPhoenix.Controller.RegistrationController](AttestoPhoenix.Controller.RegistrationController.md): OAuth 2.0 Dynamic Client Registration endpoint (RFC 7591 §3).
  - [AttestoPhoenix.Controller.RevocationController](AttestoPhoenix.Controller.RevocationController.md): `POST /oauth/revoke` - OAuth 2.0 Token Revocation (RFC 7009).
  - [AttestoPhoenix.Controller.TokenController](AttestoPhoenix.Controller.TokenController.md): OAuth 2.0 token endpoint (RFC 6749 §3.2).
  - [AttestoPhoenix.Controller.UserinfoController](AttestoPhoenix.Controller.UserinfoController.md): OpenID Connect UserInfo endpoint (OpenID Connect Core 1.0 §5.3).

- Stores
  - [AttestoPhoenix.Store.EctoCodeStore](AttestoPhoenix.Store.EctoCodeStore.md): Ecto implementation of the `Attesto.CodeStore` behaviour.
  - [AttestoPhoenix.Store.EctoNonceStore](AttestoPhoenix.Store.EctoNonceStore.md): Postgres-backed `Attesto.DPoP.NonceStore` for clustered deployments
(RFC 9449 §8).
  - [AttestoPhoenix.Store.EctoRefreshStore](AttestoPhoenix.Store.EctoRefreshStore.md): Ecto implementation of the `Attesto.RefreshStore` behaviour.
  - [AttestoPhoenix.Store.EctoReplayCheck](AttestoPhoenix.Store.EctoReplayCheck.md): Ecto-backed, shared-store `jti` replay check for DPoP proofs
(RFC 9449 §11.1).
  - [AttestoPhoenix.Store.PAR.ETS](AttestoPhoenix.Store.PAR.ETS.md): Single-node ETS Pushed Authorization Request store.
  - [AttestoPhoenix.Store.Sweeper](AttestoPhoenix.Store.Sweeper.md): Optional periodic housekeeping `GenServer` that deletes expired rows from the
Ecto-backed authorization-code, refresh-token, DPoP-nonce, and DPoP-replay
tables.

- Schemas
  - [AttestoPhoenix.Schema.Authorization](AttestoPhoenix.Schema.Authorization.md): Ecto schema for the single-use authorization codes backing an
`Attesto.CodeStore`.
  - [AttestoPhoenix.Schema.DPoPNonce](AttestoPhoenix.Schema.DPoPNonce.md): Ecto schema for a single server-issued DPoP nonce (RFC 9449 §8).
  - [AttestoPhoenix.Schema.DPoPReplay](AttestoPhoenix.Schema.DPoPReplay.md): Ecto schema for one recorded DPoP proof `jti` (JWT ID).
  - [AttestoPhoenix.Schema.RefreshToken](AttestoPhoenix.Schema.RefreshToken.md): Ecto schema for the refresh-token records that back an Ecto-backed
`Attesto.RefreshStore`.

- Shared
  - [AttestoPhoenix.Event](AttestoPhoenix.Event.md): Neutral event struct and dispatcher for the optional `:on_event` callback.
  - [AttestoPhoenix.OAuthError](AttestoPhoenix.OAuthError.md): The error value type and the wire-rendering helpers for the
authorization-server controllers and the protected-resource plugs.
  - [AttestoPhoenix.PARStore](AttestoPhoenix.PARStore.md): Behaviour for Pushed Authorization Request storage (RFC 9126).
  - [AttestoPhoenix.RequestContext](AttestoPhoenix.RequestContext.md): Neutral request-fact helpers the OAuth 2.0 / OIDC flows derive from a `Plug.Conn`.

## Mix Tasks

- [mix attesto_phoenix.gen.migration](Mix.Tasks.AttestoPhoenix.Gen.Migration.md): Generates an Ecto migration that creates the persistence backing the
Ecto-based stores ship with `attesto_phoenix`.
- [mix attesto_phoenix.install](Mix.Tasks.AttestoPhoenix.Install.md): Installs the attesto_phoenix authorization-server layer into a Phoenix app

