# `AshAuthentication.Phoenix.Oauth2Server.Router`
[🔗](https://github.com/team-alembic/ash_authentication_oauth2_server/blob/v0.1.0/lib/ash_authentication_phoenix/oauth2_server/router.ex#L5)

Phoenix router macros for mounting the OAuth 2.1 authorization server.

`use` this module inside your router to gain access to
`oauth2_server_consent_routes/1` (browser-facing, user consent) and
`oauth2_server_protocol_routes/1` (client-facing protocol endpoints).

## Example

    defmodule MyAppWeb.Router do
      use Phoenix.Router
      use AshAuthentication.Phoenix.Oauth2Server.Router

      scope "/" do
        pipe_through :browser
        oauth2_server_consent_routes oauth2_server: MyApp.Oauth2Server
      end

      scope "/" do
        pipe_through :api
        oauth2_server_protocol_routes oauth2_server: MyApp.Oauth2Server
      end
    end

The two macros forward to:

  * `AshAuthentication.Phoenix.Oauth2Server.ConsentRouter` — handles
    `/oauth/authorize` (the user-driven consent step).
  * `AshAuthentication.Phoenix.Oauth2Server.ProtocolRouter` — handles
    `/oauth/register`, `/oauth/token`, `/oauth/revoke`, and the three
    metadata documents under `/.well-known`.

# `oauth2_server_consent_routes`
*macro* 

Generate the routes for the user-driven consent step of an OAuth 2.1
authorization-server flow.

Mount this inside a scope that pipes through your **browser** pipeline
(with `:protect_from_forgery` and session loading) — both the consent
GET and POST need a logged-in user and CSRF protection.

## Example

    scope "/" do
      pipe_through :browser
      oauth2_server_consent_routes oauth2_server: MyApp.Oauth2Server
    end

## Options

  * `:oauth2_server` (required) — your `Oauth2Server` config module.
  * `:path` — base path. Defaults to `/oauth/authorize`.
  * `:consent_view` — module exposing `render(:consent, assigns)`.
    Defaults to `AshAuthentication.Phoenix.Oauth2Server.ConsentView`.

# `oauth2_server_protocol_routes`
*macro* 

Generate the routes for the client-facing OAuth 2.1 protocol endpoints —
discovery, dynamic client registration, token, and revocation.

Mount this inside a scope that pipes through your **API** pipeline. These
endpoints are called by external OAuth clients without a browser session,
so CSRF must NOT apply.

## Example

    scope "/" do
      pipe_through :api
      oauth2_server_protocol_routes oauth2_server: MyApp.Oauth2Server
    end

## Options

  * `:oauth2_server` (required) — your `Oauth2Server` config module.
  * `:oauth_path` — prefix for `/token`, `/register`, etc. Defaults to `/oauth`.
  * `:well_known_path` — prefix for `/oauth-authorization-server`,
    `/oauth-protected-resource`, `/openid-configuration`.
    Defaults to `/.well-known`.

---

*Consult [api-reference.md](api-reference.md) for complete listing*