Lockspire.Protocol.Registration (lockspire v1.0.0)

Copy Markdown

RFC 7591 dynamic client registration intake — Plug.Conn-free orchestrator.

Pipeline (per Phase 26 D-13, refined per RESEARCH Q5 RESOLVED):

  1. Precondition gate — when server_policy.registration_policy == :initial_access_token and iat == nil, reject with %Error{code: :invalid_token, field: :iat, reason: :missing} BEFORE any other step.
  2. IAT redemption via Lockspire.Protocol.InitialAccessToken.redeem/1 (skipped if iat is nil).
  3. DcrPolicy resolution via Lockspire.Protocol.DcrPolicy.resolve/3 (Phase 25).
  4. Slice-specific intake validation (D-14 jwks/coherence/redirect + D-15 PKCE floor).
  5. Credential generation (client_id, client_secret, registration_access_token).
  6. Persistence via Lockspire.Admin.Clients.create_dcr_client/1 (DCR-aware persistence helper from plan 26-01 task 4 — preserves provenance/RAT-hash/IAT-FK/issued_at/expires_at verbatim, unlike the legacy Lockspire.Clients.register_client/1 which strips them).
  7. Post-commit audit + telemetry emission (:dcr_registration_succeeded / :dcr_registration_rejected).

Per D-11 IAT-style enumeration defense, IAT redemption failures collapse to %Error{code: :invalid_token} (the discriminator stays in telemetry).

Summary

Types

result()

Functions

register(request)

Types

result()

@type result() :: {:ok, struct()} | {:error, struct()}

Functions

register(request)

@spec register(map()) :: result()