Lockspire

Lockspire is an embedded OAuth/OIDC authorization server for Phoenix applications.

It lets a Phoenix SaaS team become an OAuth/OIDC provider inside its existing app without moving accounts, login UX, branding, or product policy into a separate auth service.

What v0.1 includes

• Authorization code + PKCE
• OIDC discovery and JWKS
• Userinfo, revocation, introspection, and refresh rotation
• Host-owned login and consent seams
• LiveView admin surfaces for clients, consents, tokens, and keys
• Generator-backed install flow for Phoenix hosts

What v0.1 does not include

• Hosted auth as a separate service
• SAML or LDAP federation
• A full CIAM suite
• Lockspire-owned account tables or login UX

Canonical install path

1. Add :lockspire to your Phoenix app.
2. Run mix lockspire.install.
3. Import the generated config and router snippets into your host app.
4. Implement the generated AccountResolver and interaction handoff modules.
5. Run migrations, register a client, and complete an auth-code + PKCE flow.

The canonical proof for that path lives in:

• test/integration/install_generator_test.exs
• test/integration/phase6_onboarding_e2e_test.exs

Secure defaults

• PKCE S256 required by default
• Exact-match redirect URI validation
• Authorization codes are single-use and short-lived
• Refresh token rotation revokes the full family on reuse
• Client secrets are hashed at rest
• No implicit flow
• No alg=none

Guides

• Getting started
• Install and onboard
• Operator and admin guide
• Supported surface
• Maintainer and release guide
• Sigra companion host
• Security policy

Release discipline

Lockspire ships as an Apache-2.0 library with versioned docs, CI gates, changelog automation, and Hex dry-run validation in-repo.