AttestoPhoenix.AuthorizationServer.CIBADecision (AttestoPhoenix v1.2.0)

Copy Markdown View Source

Records an end-user's decision on a pending CIBA authentication request and, for a ping-mode request, delivers the §10.2 notification - so a host's authentication-device UI does not hand-roll the approvenotify sequence.

After the end-user authenticates (or refuses) on their authentication device, the host calls approve/3 or deny/2 with the auth_req_id. Each drives the atomic Attesto.CIBA.approve/4 / deny/3 core transition, then - when the request was registered for ping delivery - POSTs the notification to the client's registered backchannel_client_notification_endpoint (Authorization: Bearer <client_notification_token>, body {"auth_req_id": ...}) through the configured AttestoPhoenix.CIBAPing deliverer. The §10.2 notification fires on approval AND denial; a poll-mode request sends none. Delivery is async and best-effort: the tokens are already available at the token endpoint, so a client that misses the ping falls back to polling.

The notification endpoint is resolved from the client's registration (AttestoPhoenix.Config.client_ciba_registration/2, :client_notification_endpoint), looked up by the client_id the core decision returns; a ping request whose client has no resolvable endpoint simply sends nothing (logged).

Summary

Functions

Record a successful authentication + consent for auth_req_id, then deliver the ping notification when the request is ping-mode. approval carries :subject (required, and it MUST match the issue-time subject), and optionally :acr, :scope, :claims, :auth_time. Returns the Attesto.CIBA.approve/4 result.

Record a denial for auth_req_id (the user refused or failed authentication), then deliver the ping notification when the request is ping-mode. Returns the Attesto.CIBA.deny/3 result.

Functions

approve(config, auth_req_id, approval, opts \\ [])

@spec approve(AttestoPhoenix.Config.t(), String.t(), map(), keyword()) ::
  {:ok, Attesto.CIBA.decision()} | {:error, term()}

Record a successful authentication + consent for auth_req_id, then deliver the ping notification when the request is ping-mode. approval carries :subject (required, and it MUST match the issue-time subject), and optionally :acr, :scope, :claims, :auth_time. Returns the Attesto.CIBA.approve/4 result.

deny(config, auth_req_id, opts \\ [])

@spec deny(AttestoPhoenix.Config.t(), String.t(), keyword()) ::
  {:ok, Attesto.CIBA.decision()} | {:error, term()}

Record a denial for auth_req_id (the user refused or failed authentication), then deliver the ping notification when the request is ping-mode. Returns the Attesto.CIBA.deny/3 result.