AshAuthentication.Oauth2Server.Register (ash_authentication_oauth2_server v0.1.0)

Copy Markdown View Source

Protocol-pure logic for /oauth/register (RFC 7591 Dynamic Client Registration).

v1 supports public clients only (PKCE, token_endpoint_auth_method: "none"). Confidential clients (client_secret_basic) are deferred.

Registration is open by default — the standard RFC 7591 mode. To gate it, set :initial_access_token on your Oauth2Server module and pass the request's bearer token via opts[:initial_access_token] when calling register/3 (RFC 7591 §3).

Summary

Functions

register(server, params, opts \\ [])

Register a new OAuth client from RFC 7591-shaped parameters.

Functions

register(server, params, opts \\ [])

@spec register(server :: module(), params :: map(), opts :: keyword()) ::
  {:ok, Ash.Resource.record(), map()}
  | {:error, :dcr_disabled}
  | {:error, :invalid_initial_access_token}
  | {:error, String.t(), String.t()}

Register a new OAuth client from RFC 7591-shaped parameters.

opts may include:

  • :initial_access_token — the bearer token the request presented (or nil). When the server has :initial_access_token configured, this MUST match (constant-time) or registration is rejected.

Returns:

  • {:ok, client_record, response_body} on success.
  • {:error, :dcr_disabled} when the server has dcr_enabled?: false (the library default). Controllers should treat this as a 404 — the endpoint is not exposed.
  • {:error, :invalid_initial_access_token} when the bearer was missing or didn't match. Per RFC 7591 §3.2.2 this is a Bearer-auth failure — controllers should emit 401 with WWW-Authenticate: Bearer error="invalid_token", not 400.
  • {:error, code, description} for any other validation failure — a 400 DCR error response per RFC 7591 §3.2.2.