Modules
A Phoenix/Ecto OAuth 2.0 / OIDC authorization-server and
resource-server layer built on top of Attesto.
Pushed Authorization Request storage (RFC 9126), as conn-free core.
A parsed Pushed Authorization Request (RFC 9126), all plain data lifted at the controller edge.
Conn-free derivation of the signed-request-object (JAR / RFC 9101 §10.5) discovery metadata shared by the OpenID Provider Metadata document (OpenID Connect Discovery) and the OAuth 2.0 Authorization Server Metadata document (RFC 8414).
Conn-free resolution of the per-request authorization-request validation policy shared by the authorization endpoint and the PAR endpoint.
Sender-constraint resolution for the token endpoint (RFC 9449 / RFC 8705), as conn-free core.
Token-endpoint grant processing (RFC 6749 §3.2), as conn-free core.
A parsed token request, all plain data lifted at the controller edge.
Invocation of configured callbacks in the forms accepted throughout the library.
The host-owned UserInfo claim source (OpenID Connect Core §5).
OAuth 2.0 client authentication (RFC 6749 §2.3), as conn-free core.
The per-caller policy for AttestoPhoenix.ClientAuthentication.
The authenticated client and how it authenticated.
Integration façade for Client ID Metadata Documents - CIMD
(draft-ietf-oauth-client-id-metadata-document-01, IETF OAuth WG).
Behaviour for caching a validated Client ID Metadata Document - CIMD
(draft-ietf-oauth-client-id-metadata-document-01, IETF OAuth WG).
Single-node ETS AttestoPhoenix.ClientIdMetadata.Cache - CIMD
(draft-ietf-oauth-client-id-metadata-document-01, IETF OAuth WG).
Postgres-backed AttestoPhoenix.ClientIdMetadata.Cache for clustered
deployments - CIMD (draft-ietf-oauth-client-id-metadata-document-01, IETF
OAuth WG).
Behaviour for dereferencing a Client ID Metadata Document URL - CIMD
(draft-ietf-oauth-client-id-metadata-document-01, IETF OAuth WG).
The default, SSRF-guarded Client ID Metadata Document fetcher - CIMD
(draft-ietf-oauth-client-id-metadata-document-01, IETF OAuth WG).
Resolves a Client ID Metadata Document URL into a client - CIMD
(draft-ietf-oauth-client-id-metadata-document-01, IETF OAuth WG).
The host-owned OAuth client registry contract (RFC 6749 §2 / §3.1.2).
Configuration for the attesto_phoenix authorization-server layer.
The host-owned resource-owner authentication and consent contract (RFC 6749 §3.1 / §4.1.1, OpenID Connect Core §3.1.2).
OAuth 2.0 / OpenID Connect authorization endpoint (RFC 6749 §3.1, OIDC Core §3.1.2).
RFC 8414 - OAuth 2.0 Authorization Server Metadata endpoint.
POST /oauth/introspect - OAuth 2.0 Token Introspection (RFC 7662), with the
signed-JWT response of RFC 9701 (FAPI 2.0 Message Signing §5.5).
GET /.well-known/jwks.json - the JSON Web Key Set (RFC 7517 §5).
OpenID Connect Discovery 1.0 - OpenID Provider Metadata endpoint.
Pushed Authorization Request endpoint (RFC 9126).
OAuth 2.0 Dynamic Client Registration endpoint (RFC 7591 §3).
POST /oauth/revoke - OAuth 2.0 Token Revocation (RFC 7009).
OAuth 2.0 token endpoint (RFC 6749 §3.2).
OpenID Connect UserInfo endpoint (OpenID Connect Core 1.0 §5.3).
Neutral event struct and dispatcher for the optional :on_event callback.
The host-owned audit/telemetry contract.
The error value type and the wire-rendering helpers for the authorization-server controllers and the protected-resource plugs.
Behaviour for Pushed Authorization Request storage (RFC 9126).
Phoenix-friendly protected-resource authentication.
Phoenix alias for Attesto.Plug.RequireScopes.
The host-owned subject/principal contract.
The host-owned dynamic client registration persistence contract (RFC 7591 §3 / RFC 7592 §2).
Neutral request-fact helpers the OAuth 2.0 / OIDC flows derive from a Plug.Conn.
Router macro that mounts the authorization-server endpoints.
Ecto schema for the single-use authorization codes backing an
Attesto.CodeStore.
Ecto schema for one cached Client ID Metadata Document - CIMD
(draft-ietf-oauth-client-id-metadata-document-01, IETF OAuth WG).
Ecto schema for a single server-issued DPoP nonce (RFC 9449 §8).
Ecto schema for one recorded DPoP proof jti (JWT ID).
Ecto schema for a single Pushed Authorization Request (RFC 9126).
Ecto schema for the refresh-token records that back an Ecto-backed
Attesto.RefreshStore.
The host-owned scope-authorization contract (RFC 6749 §3.3).
Ecto implementation of the Attesto.CodeStore behaviour.
Postgres-backed Attesto.DPoP.NonceStore for clustered deployments
(RFC 9449 §8).
Postgres-backed AttestoPhoenix.PARStore for clustered deployments
(RFC 9126).
Ecto implementation of the Attesto.RefreshStore behaviour.
Ecto-backed, shared-store jti replay check for DPoP proofs
(RFC 9449 §11.1).
Single-node ETS Pushed Authorization Request store.
Optional periodic housekeeping GenServer that deletes expired rows from the
Ecto-backed authorization-code, refresh-token, DPoP-nonce, DPoP-replay,
pushed-authorization-request, and client-id-metadata-cache tables.
Mix Tasks
Generates an Ecto migration that creates the persistence backing the
Ecto-based stores ship with attesto_phoenix.
Installs the attesto_phoenix authorization-server layer into a Phoenix app