OAuth 2.0 Device Authorization Endpoint (RFC 8628 §3.1).

Handles POST /oauth/device_authorization. This module owns the HTTP framing only: it resolves the host %AttestoPhoenix.Config{}, applies no-store cache headers, authenticates the client (RFC 6749 §2.3 — public clients are admitted, since a browserless device with no secret is the point of the grant), lifts the request and the DPoP facts into a plain AttestoPhoenix.AuthorizationServer.DeviceAuthorization.Request, calls the conn-free core, and renders the RFC 8628 §3.2 JSON response (or an RFC 6749 §5.2 error). Every grant/binding decision lives in the core.

The endpoint is served only when the host enables the grant (device_authorization: [enabled: true]); otherwise it responds invalid_request (the route should not be mounted at all when disabled).