# `Attesto.Discovery` [🔗](https://github.com/XukuLLC/attesto/blob/v0.13.0/lib/attesto/discovery.ex#L1) RFC 8414 - OAuth 2.0 Authorization Server Metadata. Build the JSON document a client fetches from `/.well-known/oauth-authorization-server` (or the OIDC `/.well-known/openid-configuration`) to discover how to talk to the issuer: where the token and JWKS endpoints are, which grants and challenge methods are supported, and which DPoP algorithms the server accepts. Attesto fills the fields it can derive or fix by protocol: * `issuer` and `token_endpoint` from the `Attesto.Config`. * `jwks_uri` derived from the issuer (overridable). * `code_challenge_methods_supported` is `["S256"]` - Attesto's PKCE is S256 only. * `dpop_signing_alg_values_supported` from `Attesto.DPoP.allowed_algs/0`. * `grant_types_supported` defaults to `["client_credentials"]`. Everything host-specific (the authorization, revocation, introspection, and registration endpoints; the supported scopes, response types, and client-authentication methods) is supplied through `opts` and merged in. `nil` opt values are dropped so the document only advertises what the host actually implements. The result is a string-keyed map ready to serialise as the endpoint's JSON body. # `metadata` ```elixir @spec metadata( Attesto.Config.t(), keyword() ) :: %{required(String.t()) => term()} ``` Build the authorization-server metadata document for `config`. Options: * `:jwks_uri` - the full JWKS URL. Defaults to the issuer merged with `/.well-known/jwks.json`. * `:grant_types_supported` - defaults to `["client_credentials"]`. * `:authorization_endpoint`, `:revocation_endpoint`, `:introspection_endpoint`, `:registration_endpoint`, `:userinfo_endpoint` - host endpoint URLs, included only if given. * `:scopes_supported`, `:response_types_supported`, `:response_modes_supported`, `:token_endpoint_auth_methods_supported`, `:service_documentation`, `:ui_locales_supported` - included only if given. * `:pushed_authorization_request_endpoint` (RFC 9126), `:require_pushed_authorization_requests` - the PAR endpoint URL and whether the server mandates PAR; included only if given. * `:client_id_metadata_document_supported` (`draft-ietf-oauth-client-id-metadata-document-01` §6) - a boolean advertising whether the server dereferences an HTTPS `client_id` URL to a client metadata document; included only if given. The accepted host fields are the RFC 8414 §2 allowlist in `@host_fields`; the enumeration above is illustrative. Any other opt key is ignored. --- *Consult [api-reference.md](api-reference.md) for complete listing*