Lockspire

Lockspire is an embedded OAuth/OIDC authorization server library for Phoenix and Elixir applications.

It lets a Phoenix SaaS team become an OAuth/OIDC provider inside its existing app without moving accounts, login UX, branding, or product policy into a separate auth service.

The public support contract for the current release lives in docs/supported-surface.md.

What v1.0 includes

• Authorization code + PKCE
• Resource Indicators (RFC 8707) on authorization and token requests
• Device Flow authorization
• Dynamic Client Registration (DCR)
• Pushed authorization requests through Lockspire-issued request_uri references on the existing authorization code + PKCE path (can be configured as required or optional)
• OIDC discovery and JWKS
• Userinfo, revocation, introspection, and refresh rotation
• Host-owned login and consent seams
• Truthful discovery metadata for Resource Indicators and configured RAR types (resource_indicators_supported and authorization_details_types_supported)
• Host-owned custom RAR consent guidance through docs/rar-consent-host-guide.md
• LiveView admin surfaces for clients, consents, tokens, keys, and PAR policies
• Generator-backed install flow for Phoenix hosts
• FAPI 2.0 Security Profile enforcement (opt-in via security_profile: :fapi_2_0_security globally or per-client): PAR-required at /authorize, DPoP sender-constrained access tokens, ES256/PS256 signing only, exact-match redirect URIs
• RFC 9207 iss parameter on every authorization-response redirect for all clients regardless of profile
• Truthful FAPI 2.0 keys in .well-known/openid-configuration (authorization_response_iss_parameter_supported always; require_pushed_authorization_requests only when the global server policy is :fapi_2_0_security)

What v1.0 does not include

• Hosted auth as a separate service
• Request-object-by-value support and generic external request_uri handling
• SAML or LDAP federation
• A full CIAM suite
• Lockspire-owned account tables or login UX
• External OIDF FAPI 2.0 conformance suite certification (Lockspire pins the canonical plan and variants but the live Docker run remains a manual maintainer step and is not gated by CI)
• mTLS client authentication or mTLS-bound access tokens (DPoP is the supported sender-constraining mechanism)

Guides

• Getting started
• Install and onboard
• Operator and admin guide
• Supported surface and GA contract
• Maintainer and release guide
• Sigra companion host
• Security policy