AttestoPhoenix. Controller. BackchannelAuthenticationController
(AttestoPhoenix v1.2.0)
Copy Markdown
View Source
OpenID Connect CIBA backchannel authentication endpoint (CIBA Core 1.0 §7.1).
Handles POST /oauth/bc-authorize. This module owns the HTTP framing only: it
resolves the host %AttestoPhoenix.Config{}, applies no-store cache headers,
authenticates the client, lifts the request into a plain
AttestoPhoenix.AuthorizationServer.BackchannelAuthentication.Request, calls
the conn-free core, and renders the CIBA §7.3 acknowledgement JSON (or a
§13 / RFC 6749 §5.2 error). Every grant/binding decision lives in the core.
Unlike the device-authorization endpoint, CIBA is confidential-clients-only
(FAPI-CIBA §5.2.2): the client authenticates with private_key_jwt or mTLS
(allow_public: false), so a public/:none client is rejected.
The endpoint is served only when the host enables the grant
(ciba: [enabled: true]) AND mounts it (ciba: true on attesto_routes/1);
otherwise it responds invalid_request (the route should not be mounted at
all when disabled).
Summary
Functions
@spec create(Plug.Conn.t(), map()) :: Plug.Conn.t()