AshAuthentication.Oauth2Server

Copy Markdown View Source

An OAuth 2.1 authorization server for Ash Framework apps. Pairs with ash_authentication for the user-login side and runs on Phoenix.

What this gives you

  • OAuth 2.1 /authorize + /token flow with PKCE-only (RFC 9700)
  • Dynamic Client Registration (RFC 7591) — opt-in, with optional initial-access-token gating
  • Audience-bound access tokens (RFC 8707)
  • Refresh-token rotation with reuse detection
  • Discovery metadata (RFC 8414 + RFC 9728) + /.well-known/openid-configuration
  • User-driven consent screen with override-friendly UI
  • Bearer plug for protected resource endpoints
  • Designed to host Model Context Protocol (MCP) servers, ChatGPT Apps SDK connectors, Claude.ai integrations, etc.

Installation

mix igniter.install ash_authentication_oauth2_server

This scaffolds the four resources (OAuthClient, OAuthAuthorizationCode, OAuthRefreshToken, OAuthConsent), wires them into your Accounts domain, generates an Oauth2Server config module, and adds the secret-resolution clauses on your Secrets module.

Usage

See AshAuthentication.Oauth2Server for full configuration, and the post-install notice for the steps to wire the routes into your Phoenix router and mount AshAuthentication.Phoenix.Oauth2Server.BearerPlug on your protected endpoints.