Skip to main content

lib/attesto_client.ex

defmodule AttestoClient do
  @moduledoc """
  Client-side OAuth 2.0 / OpenID Connect / FAPI 2.0 artifacts and verification.

  `AttestoClient` is the relying-party (client) counterpart to
  [`attesto`](https://hex.pm/packages/attesto) (the authorization server). Where
  attesto *verifies* client artifacts and *issues* server artifacts with the
  authorization server's keystore, this library *builds* client-side wire
  artifacts and *verifies* the server artifacts a client receives:

    * `AttestoClient.ClientAssertion` - build a `private_key_jwt` client
      authentication assertion (RFC 7523 / OpenID Connect Core §9).
    * `AttestoClient.RequestObject` - build a signed authorization request object
      (JAR, RFC 9101 / FAPI 2.0 Message Signing §5.3.1).
    * `AttestoClient.IDToken` - verify OpenID Connect ID Tokens, including
      nonce, `max_age`, and `at_hash` / `c_hash` / `s_hash`.
    * `AttestoClient.JARM` - verify a signed authorization response (JARM,
      FAPI 2.0 Message Signing §5.4).
    * `AttestoClient.IdentityAssertion` - build Identity Assertion JWT
      Authorization Grant assertions (ID-JAG / EMA).
    * `AttestoClient.PKCE` - generate S256 PKCE verifier/challenge pairs.
    * `AttestoClient.SignedIntrospection` - verify RFC 9701 signed
      introspection responses.
    * `AttestoClient.UserInfo` - verify signed OpenID Connect UserInfo
      responses.
    * `AttestoClient.Discovery` - fetch and read authorization-server metadata
      and JWKS (RFC 8414 / OpenID Connect Discovery 1.0).

  It is deliberately **not** a full OAuth client framework: it has no flow
  orchestrator, token store, or session handling. It produces and checks the
  cryptographic, wire-format artifacts an OAuth/OIDC/FAPI client needs, leaving
  HTTP orchestration to the host (DPoP-bound requests are
  [`req_dpop`](https://hex.pm/packages/req_dpop)'s job).

  ## Assurance

  The build-side artifacts carry cross-language parity tests where practical,
  and the mirror modules are covered by in-family interop tests against the
  corresponding attesto server-side issuer or verifier.
  """
end