Modules
A vendor-neutral OAuth 2.0 / OIDC authorization-server and resource-server engine.
RFC 6749 §4.1 authorization-code grant, with mandatory PKCE (RFC 7636, S256) and optional DPoP binding of the code (RFC 9449 §10).
The validated context a successfully redeemed authorization code yields.
Authorization endpoint request validation (RFC 6749 §4.1.1, OIDC Core §3.1.2.1, RFC 7636 §4.3).
private_key_jwt client authentication verification (RFC 7523 / OIDC Core).
Client ID Metadata Documents - CIMD
(draft-ietf-oauth-client-id-metadata-document-01, IETF OAuth WG).
Refuse to start a per-node ETS store on a clustered BEAM.
Storage seam for authorization codes.
Single-node ETS implementation of Attesto.CodeStore.
Immutable configuration a token operation runs against.
RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP).
Storage seam for server-issued DPoP nonces (RFC 9449 §8).
Single-node ETS implementation of Attesto.DPoP.NonceStore.
In-memory, TTL-bounded cache of seen DPoP proof jti values.
RFC 8628 Device Authorization Grant — the conn-free core.
The validated context a successfully redeemed device code yields (RFC 8628 §3.4).
Storage seam for the RFC 8628 device authorization grant.
Single-node ETS implementation of Attesto.DeviceCodeStore.
RFC 8414 - OAuth 2.0 Authorization Server Metadata.
Validate an OpenID Connect RP-Initiated Logout request (OpenID Connect RP-Initiated Logout 1.0 §2-3).
Mint and verify OpenID Connect ID Tokens (OpenID Connect Core 1.0 §2).
Identity Assertion JWT Authorization Grant (ID-JAG) verification - the resource
Authorization Server's half of the Identity Assertion Authorization Grant
(draft-ietf-oauth-identity-assertion-authz-grant-04), the grant behind MCP
Enterprise-Managed Authorization (EMA).
OAuth 2.0 Token Introspection (RFC 7662), conn-free core.
JWT Secured Authorization Response Mode (JARM).
RFC 7517 - publish the signing keys' public halves as a JWK Set.
Pure helpers for working with signing material as PEM strings.
The behaviour Attesto uses to obtain signing and verification keys.
A simple Attesto.Keystore backed by application configuration.
Storage seam for OpenID Connect Back-Channel Logout 1.0.
Mint OpenID Connect Back-Channel Logout logout_tokens
(OpenID Connect Back-Channel Logout 1.0 §2.4).
RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens.
OpenID Connect Discovery 1.0 - OpenID Provider Metadata (§3).
RFC 7636 - Proof Key for Code Exchange (PKCE).
Authenticate a protected-resource request: verify the access token and, for a DPoP-bound or mTLS-bound token, the sender-constraint proof.
Render the RFC 6750 / RFC 9449 error responses for the Attesto plugs.
Authorize a request against the scopes on the verified token.
One kind of subject a token can describe.
RFC 9728 - OAuth 2.0 Protected Resource Metadata.
Storage seam for refresh tokens, with the atomic primitive that makes reuse detection possible.
Single-node ETS implementation of Attesto.RefreshStore.
Refresh-token issuance and rotation with reuse detection (RFC 6749 §6 / §10.4, OAuth 2.0 Security BCP).
Signed OpenID Connect Request Object verification (JAR, RFC 9101 / OIDC §6.1).
Verification policy for signed authorization request objects (JAR, RFC 9101).
RFC 8707 Resource Indicators for OAuth 2.0 — the conn-free primitive.
RFC 7009 - OAuth 2.0 Token Revocation, for refresh tokens.
Scope grant-form matching for OAuth-style <resource>.<action> scopes.
Generate and hash the opaque secrets that back stateful grants.
Constant-time comparison of two binaries.
JWT response for OAuth 2.0 Token Introspection (RFC 9701).
Key-derived JOSE signing algorithm helpers.
RFC 9470 Step-Up Authentication Challenge — the conn-free core primitive.
A normalized RFC 9470 step-up authentication requirement for a protected route.
DPoP test fixtures for host application suites.
Server-side DPoP verification harness for host application test suites.
Canonical SHA-256 thumbprint shape, shared across the sender-constraint schemes.
Mint and verify RS256 JWT access tokens.