AttestoPhoenix.Controller.BackchannelAuthenticationController (AttestoPhoenix v1.2.0)

Copy Markdown View Source

OpenID Connect CIBA backchannel authentication endpoint (CIBA Core 1.0 §7.1).

Handles POST /oauth/bc-authorize. This module owns the HTTP framing only: it resolves the host %AttestoPhoenix.Config{}, applies no-store cache headers, authenticates the client, lifts the request into a plain AttestoPhoenix.AuthorizationServer.BackchannelAuthentication.Request, calls the conn-free core, and renders the CIBA §7.3 acknowledgement JSON (or a §13 / RFC 6749 §5.2 error). Every grant/binding decision lives in the core.

Unlike the device-authorization endpoint, CIBA is confidential-clients-only (FAPI-CIBA §5.2.2): the client authenticates with private_key_jwt or mTLS (allow_public: false), so a public/:none client is rejected.

The endpoint is served only when the host enables the grant (ciba: [enabled: true]) AND mounts it (ciba: true on attesto_routes/1); otherwise it responds invalid_request (the route should not be mounted at all when disabled).

Summary

Functions

create(conn, params)

@spec create(Plug.Conn.t(), map()) :: Plug.Conn.t()