# `mix ash_authentication_oauth2_server.install`
[🔗](https://github.com/team-alembic/ash_authentication_oauth2_server/blob/v0.1.0/lib/mix/tasks/ash_authentication_oauth2_server.install.ex#L7)

Scaffolds an OAuth 2.1 authorization server

Scaffolds:

  * Four resources in the configured Ash domain — `OauthClient`,
    `OauthAuthorizationCode`, `OauthRefreshToken`, `OauthConsent`.
  * An `Oauth2Server` config module that pulls them together.
  * Three `secret_for/4` clauses on the user's Secrets module
    (`:issuer_url`, `:resource_url`, `:signing_secret`) that read from
    application env, so prod overrides go in `config/runtime.exs`.
  * Localhost defaults in `config/dev.exs` for development.

After install, run `mix ash.codegen --name add_oauth2_server` to
generate migrations for the new resources, then `mix ecto.migrate`.

The router macros are NOT auto-mounted. `use` the router module in
your Phoenix router and add the scopes by hand — different apps
want different paths/pipelines:

    use AshAuthentication.Phoenix.Oauth2Server.Router

    scope "/" do
      pipe_through :browser
      oauth2_server_consent_routes oauth2_server: MyApp.Oauth2Server
    end

    scope "/" do
      pipe_through :api
      oauth2_server_protocol_routes oauth2_server: MyApp.Oauth2Server
    end

Then mount `AshAuthentication.Phoenix.Oauth2Server.BearerPlug` on
whatever resource you want OAuth-protected.

## Production config

The dev URLs written to `config/dev.exs` are placeholders. For prod,
set the real values in `config/runtime.exs`:

    config :my_app,
      oauth2_issuer_url: System.get_env("OAUTH2_ISSUER_URL"),
      oauth2_resource_url: System.get_env("OAUTH2_RESOURCE_URL"),
      oauth2_signing_secret: System.get_env("OAUTH2_SIGNING_SECRET")

`oauth2_resource_url` is the URL clients will reach your protected
resource at. It's bound to the access token's `aud` claim.

## Example

```bash
mix ash_authentication_oauth2_server.install
```

## Options

  * `--accounts`, `-a` — Domain. Default: `MyApp.Accounts`.
  * `--user`, `-u` — User resource. Default: `<Accounts>.User`.
  * `--server-module`, `-s` — Where to put the `Oauth2Server` module.
    Default: `MyApp.Oauth2Server`.
  * `--secrets-module` — Module implementing `AshAuthentication.Secret`.
    Default: `MyApp.Secrets`.
  * `--issuer-url` — Issuer URL written to `config/dev.exs`.
    Default: `http://localhost:4000`.
  * `--resource-url` — Resource URL written to `config/dev.exs`.
    Default: same as `--issuer-url`.
  * `--scope` — Scope advertised in metadata. Default: `example.scope`
    (a placeholder to replace with whatever your protected resource
    actually uses).

# `igniter`

---

*Consult [api-reference.md](api-reference.md) for complete listing*