identity: mark base roadmap complete (124/124); add extensions backlog
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 1m6s
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 1m6s
All four phases done. Records an extensions queue (PKCE S256, token TTL, scope sets/narrowing, client registry, client-credentials/device grants, acl delegation, state/nonce, unified facade) to keep deepening the engine. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -77,6 +77,16 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
|
||||
- [x] federated identity (peer-asserted subject) — advisory, trust-gated stub
|
||||
- [x] tests: audit completeness, cross-instance subject mapping
|
||||
|
||||
## Extensions (base roadmap complete; deepen the engine)
|
||||
- [ ] PKCE S256 method (RFC 7636 §4.2) — SHA256 challenge derivation, not just `plain`
|
||||
- [ ] access-token TTL / `expires_in` — tokens expire as a grant timeout, introspect honours it
|
||||
- [ ] scope as a set + scope narrowing on refresh (RFC 6749 §6)
|
||||
- [ ] client registry: public vs confidential clients, client authentication (RFC 6749 §2)
|
||||
- [ ] client-credentials grant (RFC 6749 §4.4) and device grant (RFC 8628)
|
||||
- [ ] acl-on-sx delegation: wire `verify`/membership projection → an acl decision, integration test
|
||||
- [ ] OAuth `state` (CSRF) + OIDC `nonce` threaded through authorize→exchange
|
||||
- [ ] unify `api.sx` over oauth + membership + audit (one facade, audited login/consent)
|
||||
|
||||
## Progress log
|
||||
- 2026-06-07 — `federation.sx`: trust-gated, advisory federated identity.
|
||||
A peer assertion is accepted only from an explicitly trusted peer
|
||||
|
||||
Reference in New Issue
Block a user