Configuration for the attesto_phoenix authorization-server layer.

This is the single source of truth consumed by every controller and plug in the library. It reads the host's configuration (from a host-chosen otp_app/config key), validates the required keys, applies neutral defaults, and derives the Attesto.Config the protocol layer needs.

Build one with new/1 (from a keyword list or map) or from_otp_app/2 (to read Application.get_env/2). Validation raises ArgumentError on a missing required key so misconfiguration fails fast at boot.

Keys

Required

• :issuer - issuer URL (string) used as the JWT iss, the discovery issuer, and the base for endpoint URLs.
• :keystore - module implementing Attesto.Keystore providing the signing key and the verification keys published via JWKS. Use a static keystore or a host KMS/HSM/Vault-backed implementation; per-key alg metadata is supported by the core keystore behaviour.
• :repo - Ecto.Repo module used by the Ecto-backed code, refresh, nonce, and replay stores.

• :load_client - (client_id -> {:ok, client} | {:error, :not_found} | {:error, :revoked}). Resolves an OAuth client. The host owns the client registry and revocation policy.

• :verify_client_secret - (client, presented_secret -> boolean). Constant-time client-secret verification (e.g. via Attesto.SecureCompare). The host owns secret hashing.

• :load_principal - (subject_id -> {:ok, principal} | {:error, :not_found}). Resolves the subject/principal during protected-resource authentication.

Optional callbacks

• :authorize_scope - (client, requested_scope -> {:ok, granted_scope} | {:error, :invalid_scope}). Validates/narrows requested scope using Attesto.Scope algebra. Defaults to "subset of :scopes_supported".
• :on_event - (%AttestoPhoenix.Event{} -> any). Audit/telemetry hook. No-op by default; the library never stores events itself.
• :send_error - (conn, status, body_map -> conn). Optional transport hook used by AttestoPhoenix.OAuthError to serialize OAuth/OIDC errors into the host's API envelope while preserving the RFC status, challenge, and cache-control semantics.
• :no_store - (conn -> conn). Optional transport hook used by AttestoPhoenix.OAuthError to apply no-store headers.
• :www_authenticate - (conn, challenge_string -> conn). Optional transport hook used by AttestoPhoenix.OAuthError to write the WWW-Authenticate challenge header.
• :basic_realm - realm string for token-endpoint Basic auth challenges. Default "OAuth".
• :htu - (conn -> canonical_url_string). Overrides how the DPoP htu is computed behind proxies. Defaults to derivation from :trusted_proxies.

• :cert_der - (conn -> der_binary | nil). Extracts the client mTLS certificate DER. Required only when :mtls_enabled.

• :register_client - (metadata -> {:ok, client} | {:error, reason}). Persists a dynamically registered client. Required only when :registration_enabled.

• :unregister_client - (client -> :ok | {:ok, client} | {:error, reason}). Deletes a dynamically registered client for registration management cleanup (RFC 7592). Optional; when unset, DELETE requests to the registration management endpoint fail closed.

• :client_registration_access_token_hash - (client -> String.t() | nil). Extracts the stored hash of the registration access token issued with a dynamic client (RFC 7592). Optional; when unset, DELETE requests fail closed.

• :introspection_authorize - (caller_client_id, response -> boolean). Authorizes the authenticated introspection caller against the token being introspected (RFC 7662 §4 / RFC 9701 §5). Consulted only for an active response; returning anything but true (or raising) downgrades the response to %{"active" => false} so a caller not entitled to the token learns nothing about it (FAPI: a regular client querying introspection is a leakage risk). response is the RFC 7662 member map (carrying aud, client_id, sub, scope, ...), letting the host match the token's audience/scope against the calling protected resource. Optional - when unset, every authenticated caller may introspect any token (the single-trust-domain default).
• :principal_kinds - non-empty list of Attesto.PrincipalKind values or a zero-arity callback returning that list, passed into the core token configuration.
• :build_principal - (client, subject, scope -> map). Builds the principal map passed to Attesto.Token.mint/3.
• :build_userinfo_claims - (subject, granted_scopes, requested_claims -> claims_map). Produces the claim values the UserInfo endpoint (OpenID Connect Core §5.3) returns for the authenticated subject. The host owns the claim source (its user store); the library owns only the scope-to-claim shaping (OpenID Connect Core §5.4) and the guarantee that sub is present (OpenID Connect Core §5.3.2). granted_scopes is the list of scopes on the access token; requested_claims is the per-claim request map from the OpenID Connect claims parameter (%{} when none). Required only when the UserInfo endpoint is mounted.
• :build_id_token_claims - (client, subject, granted_scopes, requested_claims -> claims_map). Produces the host claims merged into an ID Token (OpenID Connect Core §3.1.3.6 / §5.5 id_token member). Distinct from :build_userinfo_claims: it receives the resolved client, draws from the claims parameter's id_token member, and MUST NOT carry sub (the library sets the verified subject; a host-supplied sub is rejected by Attesto.IDToken). Optional - when unset the ID Token carries only the protocol claims.
• :client_id - (client -> String.t()). Extracts the OAuth client identifier from the host's client struct.
• :client_jwks - (client -> jwks). Returns the client's trusted public JWK Set for private_key_jwt client authentication. Required only for clients that authenticate with private_key_jwt.
• :client_redirect_uris - (client -> [String.t()]). Returns the client's registered redirect URIs (RFC 6749 §3.1.2.2). The authorization endpoint exact-matches the request redirect_uri against this set (RFC 6749 §3.1.2.3); a client exposing none rejects every authorization request (fail closed).
• :authenticate_resource_owner - (conn, request, auth_opts -> {:authenticated, subject} | {:halt, conn} | {:none} | {:error, :login_required | :consent_required | :interaction_required}). Establishes the resource owner for an authorization request (RFC 6749 §3.1, OIDC Core §3.1.2.3). Returns {:authenticated, subject} once a resource owner is known (a map carrying at least :subject, the OIDC sub, and optionally :auth_time, :acr, :amr), {:halt, conn} to take over the connection (e.g. redirect to a host login page that re-enters the authorization endpoint), {:none} when no subject can be established without UI, or an {:error, _} classifying why interaction is required (OIDC Core §3.1.2.6). auth_opts is a map carrying the OIDC Core §3.1.2.1 prompt/max_age directives the host must honour: :prompt, :force_reauth (prompt=login), :interactive (false for prompt=none, forbidding UI), and :max_age. The host owns all login UI; the library only invokes this hook. Required only when the authorization endpoint is mounted.
• :consent - (conn, request, subject -> {:consented, subject} | {:halt, conn} | {:denied, reason}). Obtains the resource owner's consent for an authorization request (RFC 6749 §4.1.1). Returns {:consented, subject} to proceed (the returned subject may carry consent-derived claims), {:halt, conn} to take over the connection (e.g. render a consent screen that re-enters the authorization endpoint), or {:denied, reason} to refuse (reported to the client as access_denied, RFC 6749 §4.1.2.1). When unset, consent is implicitly granted for the authenticated subject.
• :client_public? - (client -> boolean()). Returns whether a client may authenticate without a secret and rely on PKCE.
• :client_requires_mtls? - (client -> boolean()). Returns whether a client requires mTLS-bound token issuance.
• :client_requires_dpop? - (client -> boolean()). Returns whether a client requires DPoP-bound token issuance.

• :client_grant_types - (client -> [String.t()] | nil). Returns the grant types registered for this client (RFC 7591 §2). When set, the token endpoint rejects a requested grant type not in the returned list.

• :issue_refresh_token? - (client, granted_scope -> boolean()). Returns whether the authorization-code grant should issue an initial refresh token (RFC 6749 §6). When unset, the token controller issues one iff the granted scope contains offline_access (OIDC Core §11) and a :refresh_store is configured.
• :code_store - module implementing Attesto.CodeStore.
• :refresh_store - module implementing Attesto.RefreshStore.
• :par_store - module implementing AttestoPhoenix.PARStore.
• :grant_types_supported - grant types advertised/accepted by dynamic client registration.
• :token_endpoint_auth_methods_supported - client authentication methods advertised/accepted by dynamic client registration and by the token/PAR endpoints when configured. When unset, all package-supported methods are accepted.

Optional values (with defaults)

• :audience - default access-token audience (string or list).
• :client_auth_signing_algs - the JOSE algorithms accepted for private_key_jwt client-assertion signatures, and the set advertised as token_endpoint_auth_signing_alg_values_supported in discovery. Defaults to Attesto.SigningAlg.fapi_algs/0 (PS256, ES256, EdDSA). A non-FAPI deployment can widen it; verification and the advertised metadata stay in lockstep because both read this one value.
• :request_object_policy - an Attesto.RequestObject.Policy controlling verification of signed authorization request objects (JAR, RFC 9101). Defaults to %Attesto.RequestObject.Policy{} (generic OpenID Connect §6.1: nbf/exp/typ not required). For FAPI 2.0 Message Signing §5.3.1 set Attesto.RequestObject.Policy.fapi_message_signing(); the policy is then enforced both at the PAR endpoint and at /authorize.
• :scopes_supported - list of supported scope strings (concrete and wildcard) advertised in discovery and used as the default scope catalog. For an OpenID Provider the reserved openid scope (OpenID Connect Core §3.1.2.1) is added to the OpenID Provider Metadata automatically by the core builder; it need not be listed here.
• :authorization_endpoint - absolute URL of the host-owned authorization endpoint (RFC 6749 §3.1 / OpenID Connect Discovery §3). The authorization endpoint runs the host's login/consent UI, so the library does not mount it; the host supplies the URL where it serves it. Advertised in the OpenID Provider Metadata; omitted when unset.
• :userinfo_endpoint - absolute URL of the host-owned UserInfo endpoint (OpenID Connect Core §5.3). The host owns the claim source, so the library does not mount it; the host supplies the URL. Advertised in the OpenID Provider Metadata; omitted when unset.
• :claims_supported - list of claim names the host's UserInfo endpoint and ID Tokens can return (OpenID Connect Discovery §3). Advertised in the OpenID Provider Metadata; omitted when unset.
• :claims_parameter_supported - whether the provider accepts the OpenID Connect claims request parameter (OpenID Connect Discovery §3 / OpenID Connect Core §5.5). Default false: the authorization endpoint does not consume a claims parameter unless the host wires it, so the provider does not claim support for it. Advertised in the OpenID Provider Metadata only when set to true (the core builder treats absence as false per OpenID Connect Discovery §3).
• :acr_values_supported - list of Authentication Context Class Reference values the provider can satisfy (OpenID Connect Discovery §3 / OpenID Connect Core §2). Advertised only when the host configures a non-empty list; omitted otherwise.
• :ui_locales_supported - list of BCP47 (RFC 5646) language tags the provider's UI supports (OpenID Connect Discovery §3). Advertised only when the host configures a non-empty list; omitted otherwise.
• :require_nonce - require the OpenID Connect nonce parameter on OpenID Connect Authentication Requests (OpenID Connect Core §3.1.2.1). Default false. When true, the authorization endpoint passes require_nonce: true to Attesto.AuthorizationRequest.validate/2 for a request whose scope contains openid, so a missing nonce on an OIDC request is rejected with a redirectable invalid_request error. A non-OpenID OAuth 2.0 request is never affected (RFC 6749 keeps the authorization code at SHOULD, never requiring a nonce). The host sets this per its own OpenID Provider policy.
• :require_pushed_authorization_requests - require front-channel authorization requests to use a PAR request_uri issued by this server (RFC 9126). Default false.
• :authorization_response_iss - include the RFC 9207 iss authorization response parameter on success and error redirects. Default true (authorization-server mix-up defense, mandated by FAPI 2.0); set false only for a deployment that must omit it.
• :require_https - enforce HTTPS on the endpoints. Default true.
• :trusted_proxies - list of trusted proxy CIDRs/IPs controlling whether X-Forwarded-* headers are honored. Default [] (no forwarded trust).
• :access_token_ttl - access-token lifetime, seconds. Default 900.
• :refresh_token_ttl - refresh-token lifetime, seconds. Default 1_209_600.
• :refresh_token_rotation_grace_seconds - idempotency window, in seconds, during which a just-rotated refresh token can be retried and receive the same successor refresh token instead of being treated as a reuse attack. Default 60; set 0 for strict immediate reuse revocation. A non-zero window is important for clients that lose the first rotation response and retry the previous token (OAuth 2.0 Security BCP §4.13; FAPI 2.0 Security Profile §5.3.2.1).
• :authorization_code_ttl - authorization-code lifetime, seconds. Default 60.
• :dpop_enabled - enable DPoP sender-constraint support. Default true.
• :dpop_nonce_required - require server-issued DPoP nonces. Default false.
• :mtls_enabled - enable mTLS (RFC 8705) cnf binding. Default false.
• :registration_enabled - enable /oauth/register. Default false.
• :replay_check - DPoP jti replay check (module or {module, fun}). Defaults to the single-node ETS replay cache.
• :nonce_store - Attesto.DPoP.NonceStore implementation. Defaults to the single-node ETS nonce store.
• :sweep_interval_ms - interval for AttestoPhoenix.Store.Sweeper. The sweeper is not started if unset.
• :table_prefix - optional Ecto schema/table prefix for the generated tables.

Endpoint paths advertised in metadata

The discovery documents (RFC 8414 §3, OpenID Connect Discovery §4) and the RFC 7591 §3.2.1 registration response advertise absolute endpoint URLs built from the :issuer and the request path each endpoint is mounted at. By default the OAuth endpoints live under /oauth/* (the historic surface), but a host that mounts them elsewhere (for example under /mcp/oauth/* to avoid colliding with a legacy provider) MUST advertise the paths it actually serves or clients are misdirected. These keys control that, all additive with defaults that reproduce the historic /oauth/* surface exactly:

• :oauth_path_prefix - path segment prepended to every OAuth endpoint tail. Default "/oauth", yielding the historic /oauth/token, /oauth/par, etc. A host mounting under /mcp/oauth sets oauth_path_prefix: "/mcp/oauth" to advertise /mcp/oauth/token and so on. This is the FULL client-visible mount prefix, since the controllers cannot see the surrounding Phoenix scope. The well-known documents (RFC 8615) and the JWKS document stay anchored at the host root and are NOT relocated by this prefix.
• :authorize_path, :token_path, :par_path, :revocation_path, :introspection_path, :registration_path, :userinfo_path - explicit per-endpoint path overrides. When set, the override wins over :oauth_path_prefix for that one endpoint (the integrator's "explicit endpoint overrides plus sane defaults"). Each defaults to nil, meaning "derive from :oauth_path_prefix". An override is an absolute path reference ("/custom/token"), advertised verbatim merged onto the issuer.

Use the resolver helpers (token_endpoint_url/1, par_endpoint_url/1, revocation_endpoint_url/1, registration_endpoint_url/1, userinfo_endpoint_url/1, authorize_endpoint_url/1, jwks_uri/1, and the resolved-path helpers token_path/1 and friends) rather than re-deriving the URLs in callers; the router macro derives its mounted-route tails from the same source so the mounted routes and the advertised routes cannot drift.

Recommended production callback contracts

The loose *_client, *_principal, authorize_scope, consent, registration, and event callbacks above are grouped into named behaviours that document the full contract (with the governing RFC for each callback) and serve as the recommended production shape: AttestoPhoenix.ClientStore, AttestoPhoenix.PrincipalStore, AttestoPhoenix.ScopePolicy, AttestoPhoenix.ConsentPolicy, AttestoPhoenix.RegistrationStore, and AttestoPhoenix.EventSink. Wiring stays identical: pass an anonymous function, a {module, function} pair, or a {module, function, extra_args} triple per key as documented above. The behaviours are the contract; the Config keys are how a host installs an implementation.

Behaviour-module Config keys

Rather than wiring every host callback as an individual flat key, a host may install one behaviour module per concern and let the library resolve each callback from it:

• :client_store - a module implementing AttestoPhoenix.ClientStore.
• :principal_store - a module implementing AttestoPhoenix.PrincipalStore.
• :consent_policy - a module implementing AttestoPhoenix.ConsentPolicy.
• :scope_policy - a module implementing AttestoPhoenix.ScopePolicy.
• :event_sink - a module implementing AttestoPhoenix.EventSink.
• :registration - a module implementing AttestoPhoenix.RegistrationStore.
• :claims_provider - a module implementing AttestoPhoenix.ClaimsProvider.

Each per-callback value is resolved through the matching resolver fun on this module (client_id_fun/1, load_principal_fun/1, consent_fun/1, and so on) with a single precedence: the explicit flat key wins when set; otherwise, when a behaviour module is installed and exports the corresponding behaviour callback (after Code.ensure_loaded/1), the {module, function} pair is used; otherwise the resolution is nil (and the consumer's existing fail-closed default applies). Flat keys therefore never break: a host that wires the individual callbacks keeps the exact behaviour it had. new/1 validates at boot that any installed behaviour module is loadable and exports the callbacks it claims, so a typo'd or partial module fails fast rather than silently resolving to nil at request time.