# AttestoPhoenix v0.19.0 - Table of Contents > Phoenix/Ecto OAuth 2.0 / OIDC authorization server layer over attesto: authorization, token, PAR, revocation, discovery, JWKS, UserInfo, protected-resource plugs, and Ecto-backed token stores. ## Pages - [AttestoPhoenix](readme.md) - Guides - [Example configurations](examples.md) - [Migrating to Attesto from Boruta or a custom OAuth provider](consumer_migration.md) - [Issuer, resource, and redirect URL correctness behind a proxy](proxy_canonical_host.md) - [DPoP replay and nonce stores in production](replay_nonce_production.md) - [Fitting OAuth errors into an existing JSON error envelope](error_envelope.md) - [Identity Assertion grant (ID-JAG / MCP Enterprise-Managed Authorization)](identity_assertion_grant.md) - Notebooks - [AttestoPhoenix Live Demo](attesto_phoenix_demo.md) - Changelog - [Changelog](changelog.md) - License - [LICENSE](license.md) ## Modules - [AttestoPhoenix.AuthorizationServer.DeviceAuthorization](AttestoPhoenix.AuthorizationServer.DeviceAuthorization.md): Device authorization request processing (RFC 8628 §3.1 / §3.2), as conn-free core. - [AttestoPhoenix.AuthorizationServer.DeviceAuthorization.Request](AttestoPhoenix.AuthorizationServer.DeviceAuthorization.Request.md): Plain-data device-authorization request the controller builds from the conn. - [AttestoPhoenix.AuthorizationServer.JwtBearer](AttestoPhoenix.AuthorizationServer.JwtBearer.md): The resource server's half of the Identity Assertion JWT Authorization Grant (ID-JAG), the grant behind MCP Enterprise-Managed Authorization (EMA) - `draft-ietf-oauth-identity-assertion-authz-grant-04`. - [AttestoPhoenix.AuthorizationServer.PAR](AttestoPhoenix.AuthorizationServer.PAR.md): Pushed Authorization Request storage (RFC 9126), as conn-free core. - [AttestoPhoenix.AuthorizationServer.PAR.Request](AttestoPhoenix.AuthorizationServer.PAR.Request.md): A parsed Pushed Authorization Request (RFC 9126), all plain data lifted at the controller edge. - [AttestoPhoenix.AuthorizationServer.RequestObjectMetadata](AttestoPhoenix.AuthorizationServer.RequestObjectMetadata.md): Conn-free derivation of the signed-request-object (JAR / RFC 9101 §10.5) discovery metadata shared by the OpenID Provider Metadata document (OpenID Connect Discovery) and the OAuth 2.0 Authorization Server Metadata document (RFC 8414). - [AttestoPhoenix.AuthorizationServer.RequestPolicy](AttestoPhoenix.AuthorizationServer.RequestPolicy.md): Conn-free resolution of the per-request authorization-request validation policy shared by the authorization endpoint and the PAR endpoint. - [AttestoPhoenix.AuthorizationServer.SenderConstraint](AttestoPhoenix.AuthorizationServer.SenderConstraint.md): Sender-constraint resolution for the token endpoint (RFC 9449 / RFC 8705), as conn-free core. - [AttestoPhoenix.AuthorizationServer.Token](AttestoPhoenix.AuthorizationServer.Token.md): Token-endpoint grant processing (RFC 6749 §3.2), as conn-free core. - [AttestoPhoenix.AuthorizationServer.Token.Request](AttestoPhoenix.AuthorizationServer.Token.Request.md): A parsed token request, all plain data lifted at the controller edge. - [AttestoPhoenix.BackChannelLogout](AttestoPhoenix.BackChannelLogout.md): The seam for delivering a Back-Channel Logout `logout_token` to a Relying Party (OpenID Connect Back-Channel Logout 1.0 §2.5). - [AttestoPhoenix.BackChannelLogout.Req](AttestoPhoenix.BackChannelLogout.Req.md): Default `AttestoPhoenix.BackChannelLogout` deliverer, built on `Req`. - [AttestoPhoenix.Callback](AttestoPhoenix.Callback.md): Invocation of configured callbacks in the forms accepted throughout the library. - [AttestoPhoenix.ClaimsProvider](AttestoPhoenix.ClaimsProvider.md): The host-owned UserInfo claim source (OpenID Connect Core §5). - [AttestoPhoenix.ClientAuthentication](AttestoPhoenix.ClientAuthentication.md): OAuth 2.0 client authentication (RFC 6749 §2.3), as conn-free core. - [AttestoPhoenix.ClientAuthentication.ErrorContext](AttestoPhoenix.ClientAuthentication.ErrorContext.md): Transport facts known while classifying client authentication. - [AttestoPhoenix.ClientAuthentication.Policy](AttestoPhoenix.ClientAuthentication.Policy.md): The per-caller policy for `AttestoPhoenix.ClientAuthentication`. - [AttestoPhoenix.ClientAuthentication.Result](AttestoPhoenix.ClientAuthentication.Result.md): The authenticated client and how it authenticated. - [AttestoPhoenix.ClientIdMetadata](AttestoPhoenix.ClientIdMetadata.md): Integration façade for Client ID Metadata Documents - CIMD (`draft-ietf-oauth-client-id-metadata-document-01`, IETF OAuth WG). - [AttestoPhoenix.ClientIdMetadata.Cache](AttestoPhoenix.ClientIdMetadata.Cache.md): Behaviour for caching a validated Client ID Metadata Document - CIMD (`draft-ietf-oauth-client-id-metadata-document-01`, IETF OAuth WG). - [AttestoPhoenix.ClientIdMetadata.Cache.ETS](AttestoPhoenix.ClientIdMetadata.Cache.ETS.md): Single-node ETS `AttestoPhoenix.ClientIdMetadata.Cache` - CIMD (`draft-ietf-oauth-client-id-metadata-document-01`, IETF OAuth WG). - [AttestoPhoenix.ClientIdMetadata.Cache.Ecto](AttestoPhoenix.ClientIdMetadata.Cache.Ecto.md): Postgres-backed `AttestoPhoenix.ClientIdMetadata.Cache` for clustered deployments - CIMD (`draft-ietf-oauth-client-id-metadata-document-01`, IETF OAuth WG). - [AttestoPhoenix.ClientIdMetadata.Fetcher](AttestoPhoenix.ClientIdMetadata.Fetcher.md): Behaviour for dereferencing a Client ID Metadata Document URL - CIMD (`draft-ietf-oauth-client-id-metadata-document-01`, IETF OAuth WG). - [AttestoPhoenix.ClientIdMetadata.Fetcher.Req](AttestoPhoenix.ClientIdMetadata.Fetcher.Req.md): The default, SSRF-guarded Client ID Metadata Document fetcher - CIMD (`draft-ietf-oauth-client-id-metadata-document-01`, IETF OAuth WG). - [AttestoPhoenix.ClientIdMetadata.Resolver](AttestoPhoenix.ClientIdMetadata.Resolver.md): Resolves a Client ID Metadata Document URL into a client - CIMD (`draft-ietf-oauth-client-id-metadata-document-01`, IETF OAuth WG). - [AttestoPhoenix.ConsentGrant](AttestoPhoenix.ConsentGrant.md): The request binding a single-use consent grant is tied to, and the canonical hash over it (RFC 6749 §4.1.1). - [AttestoPhoenix.ConsentGrantStore](AttestoPhoenix.ConsentGrantStore.md): Behaviour for single-use, request-bound consent grants (RFC 6749 §4.1.1). - [AttestoPhoenix.Controller.AuthorizeController](AttestoPhoenix.Controller.AuthorizeController.md): OAuth 2.0 / OpenID Connect authorization endpoint (RFC 6749 §3.1, OIDC Core §3.1.2). - [AttestoPhoenix.Controller.DeviceAuthorizationController](AttestoPhoenix.Controller.DeviceAuthorizationController.md): OAuth 2.0 Device Authorization Endpoint (RFC 8628 §3.1). - [AttestoPhoenix.Controller.DeviceVerificationController](AttestoPhoenix.Controller.DeviceVerificationController.md): Device verification page (RFC 8628 §3.3). - [AttestoPhoenix.Controller.EndSessionController](AttestoPhoenix.Controller.EndSessionController.md): End-session endpoint (OpenID Connect RP-Initiated Logout 1.0 §2 + Back-Channel Logout 1.0). - [AttestoPhoenix.Controller.IntrospectionController](AttestoPhoenix.Controller.IntrospectionController.md): `POST /oauth/introspect` - OAuth 2.0 Token Introspection (RFC 7662), with the signed-JWT response of RFC 9701 (FAPI 2.0 Message Signing §5.5). - [AttestoPhoenix.Controller.OpenIDConfigurationController](AttestoPhoenix.Controller.OpenIDConfigurationController.md): OpenID Connect Discovery 1.0 - OpenID Provider Metadata endpoint. - [AttestoPhoenix.Controller.ProtectedResourceController](AttestoPhoenix.Controller.ProtectedResourceController.md): RFC 9728 - OAuth 2.0 Protected Resource Metadata endpoint. - [AttestoPhoenix.Plug.Authenticate](AttestoPhoenix.Plug.Authenticate.md): Phoenix-friendly protected-resource authentication. - [AttestoPhoenix.Plug.RequireScopes](AttestoPhoenix.Plug.RequireScopes.md): Phoenix alias for `Attesto.Plug.RequireScopes`. - [AttestoPhoenix.Schema.ClientIdMetadata](AttestoPhoenix.Schema.ClientIdMetadata.md): Ecto schema for one cached Client ID Metadata Document - CIMD (`draft-ietf-oauth-client-id-metadata-document-01`, IETF OAuth WG). - [AttestoPhoenix.Schema.ConsentGrant](AttestoPhoenix.Schema.ConsentGrant.md): Ecto schema for a single-use, request-bound consent grant (RFC 6749 §4.1.1). - [AttestoPhoenix.Schema.DeviceCode](AttestoPhoenix.Schema.DeviceCode.md): Ecto schema + record bridge for the RFC 8628 device-code store (`AttestoPhoenix.Store.EctoDeviceCodeStore`). - [AttestoPhoenix.Schema.LogoutSession](AttestoPhoenix.Schema.LogoutSession.md): Ecto schema + record bridge for the Back-Channel Logout session store (`AttestoPhoenix.Store.EctoLogoutSessionStore`). - [AttestoPhoenix.Schema.PushedAuthorizationRequest](AttestoPhoenix.Schema.PushedAuthorizationRequest.md): Ecto schema for a single Pushed Authorization Request (RFC 9126). - [AttestoPhoenix.Store.EctoConsentGrantStore](AttestoPhoenix.Store.EctoConsentGrantStore.md): Postgres-backed `AttestoPhoenix.ConsentGrantStore` (RFC 6749 §4.1.1). - [AttestoPhoenix.Store.EctoDeviceCodeStore](AttestoPhoenix.Store.EctoDeviceCodeStore.md): Ecto/Postgres implementation of `Attesto.DeviceCodeStore`. - [AttestoPhoenix.Store.EctoLogoutSessionStore](AttestoPhoenix.Store.EctoLogoutSessionStore.md): Ecto/Postgres implementation of `Attesto.LogoutSessionStore`. - [AttestoPhoenix.Store.EctoPARStore](AttestoPhoenix.Store.EctoPARStore.md): Postgres-backed `AttestoPhoenix.PARStore` for clustered deployments (RFC 9126). - [AttestoPhoenix.Store.NonceStore](AttestoPhoenix.Store.NonceStore.md): Dispatch to the configured `Attesto.DPoP.NonceStore`, threading the live request `%AttestoPhoenix.Config{}` to stores that need it (RFC 9449 §8). - Setup - [AttestoPhoenix](AttestoPhoenix.md): A Phoenix/Ecto OAuth 2.0 / OIDC authorization-server and resource-server layer built on top of `Attesto`. - [AttestoPhoenix.Config](AttestoPhoenix.Config.md): Configuration for the `attesto_phoenix` authorization-server layer. - [AttestoPhoenix.Router](AttestoPhoenix.Router.md): Router macro that mounts the authorization-server endpoints. - Host contracts (behaviours) - [AttestoPhoenix.ClientStore](AttestoPhoenix.ClientStore.md): The host-owned OAuth client registry contract (RFC 6749 §2 / §3.1.2). - [AttestoPhoenix.ConsentPolicy](AttestoPhoenix.ConsentPolicy.md): The host-owned resource-owner authentication and consent contract (RFC 6749 §3.1 / §4.1.1, OpenID Connect Core §3.1.2). - [AttestoPhoenix.EventSink](AttestoPhoenix.EventSink.md): The host-owned audit/telemetry contract. - [AttestoPhoenix.PrincipalStore](AttestoPhoenix.PrincipalStore.md): The host-owned subject/principal contract. - [AttestoPhoenix.RegistrationStore](AttestoPhoenix.RegistrationStore.md): The host-owned dynamic client registration persistence contract (RFC 7591 §3 / RFC 7592 §2). - [AttestoPhoenix.ScopePolicy](AttestoPhoenix.ScopePolicy.md): The host-owned scope-authorization contract (RFC 6749 §3.3). - Controllers - [AttestoPhoenix.Controller.DiscoveryController](AttestoPhoenix.Controller.DiscoveryController.md): RFC 8414 - OAuth 2.0 Authorization Server Metadata endpoint. - [AttestoPhoenix.Controller.JWKSController](AttestoPhoenix.Controller.JWKSController.md): `GET /.well-known/jwks.json` - the JSON Web Key Set (RFC 7517 §5). - [AttestoPhoenix.Controller.PARController](AttestoPhoenix.Controller.PARController.md): Pushed Authorization Request endpoint (RFC 9126). - [AttestoPhoenix.Controller.RegistrationController](AttestoPhoenix.Controller.RegistrationController.md): OAuth 2.0 Dynamic Client Registration endpoint (RFC 7591 §3). - [AttestoPhoenix.Controller.RevocationController](AttestoPhoenix.Controller.RevocationController.md): `POST /oauth/revoke` - OAuth 2.0 Token Revocation (RFC 7009). - [AttestoPhoenix.Controller.TokenController](AttestoPhoenix.Controller.TokenController.md): OAuth 2.0 token endpoint (RFC 6749 §3.2). - [AttestoPhoenix.Controller.UserinfoController](AttestoPhoenix.Controller.UserinfoController.md): OpenID Connect UserInfo endpoint (OpenID Connect Core 1.0 §5.3). - OpenAPI - [AttestoPhoenix.OpenAPI.TokenEndpoint](AttestoPhoenix.OpenAPI.TokenEndpoint.md): OpenApiSpex operation and schema values for the OAuth 2.0 token endpoint. - Stores - [AttestoPhoenix.Store.EctoCodeStore](AttestoPhoenix.Store.EctoCodeStore.md): Ecto implementation of the `Attesto.CodeStore` behaviour. - [AttestoPhoenix.Store.EctoNonceStore](AttestoPhoenix.Store.EctoNonceStore.md): Postgres-backed `Attesto.DPoP.NonceStore` for clustered deployments (RFC 9449 §8). - [AttestoPhoenix.Store.EctoRefreshStore](AttestoPhoenix.Store.EctoRefreshStore.md): Ecto implementation of the `Attesto.RefreshStore` behaviour. - [AttestoPhoenix.Store.EctoReplayCheck](AttestoPhoenix.Store.EctoReplayCheck.md): Ecto-backed, shared-store `jti` replay check for DPoP proofs (RFC 9449 §11.1). - [AttestoPhoenix.Store.PAR.ETS](AttestoPhoenix.Store.PAR.ETS.md): Single-node ETS Pushed Authorization Request store. - [AttestoPhoenix.Store.Sweeper](AttestoPhoenix.Store.Sweeper.md): Optional periodic housekeeping `GenServer` that deletes expired rows from the Ecto-backed authorization-code, refresh-token, DPoP-nonce, DPoP-replay, pushed-authorization-request, client-id-metadata-cache, and consent-grant tables. - Schemas - [AttestoPhoenix.Schema.Authorization](AttestoPhoenix.Schema.Authorization.md): Ecto schema for the single-use authorization codes backing an `Attesto.CodeStore`. - [AttestoPhoenix.Schema.DPoPNonce](AttestoPhoenix.Schema.DPoPNonce.md): Ecto schema for a single server-issued DPoP nonce (RFC 9449 §8). - [AttestoPhoenix.Schema.DPoPReplay](AttestoPhoenix.Schema.DPoPReplay.md): Ecto schema for one recorded DPoP proof `jti` (JWT ID). - [AttestoPhoenix.Schema.RefreshToken](AttestoPhoenix.Schema.RefreshToken.md): Ecto schema for the refresh-token records that back an Ecto-backed `Attesto.RefreshStore`. - Shared - [AttestoPhoenix.Event](AttestoPhoenix.Event.md): Neutral event struct and dispatcher for the optional `:on_event` callback. - [AttestoPhoenix.OAuthError](AttestoPhoenix.OAuthError.md): The error value type and the wire-rendering helpers for the authorization-server controllers and the protected-resource plugs. - [AttestoPhoenix.PARStore](AttestoPhoenix.PARStore.md): Behaviour for Pushed Authorization Request storage (RFC 9126). - [AttestoPhoenix.RequestContext](AttestoPhoenix.RequestContext.md): Neutral request-fact helpers the OAuth 2.0 / OIDC flows derive from a `Plug.Conn`. ## Mix Tasks - [mix attesto_phoenix.gen.migration](Mix.Tasks.AttestoPhoenix.Gen.Migration.md): Generates an Ecto migration that creates the persistence backing the Ecto-based stores ship with `attesto_phoenix`. - [mix attesto_phoenix.install](Mix.Tasks.AttestoPhoenix.Install.md): Installs the attesto_phoenix authorization-server layer into a Phoenix app