identity: pushed authorization requests (PAR, RFC 9126, +7 tests)
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 36s
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 36s
push_authorization_request lodges the authorization params under a
single-use request_uri; authorize_pushed redeems it into the normal consent
flow. Pushed requests reuse the pending store ({pushed, Rec} keyed by the
request_uri ref — distinct from consent req_ids, so no collision and no new
loop state). The pushed binding (client + redirect + PKCE) is still enforced
at exchange. New tests/par.sx. 217/217.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -47,6 +47,7 @@ SUITES=(
|
||||
"session-mgmt|id-smgmt-test-pass|id-smgmt-test-count"
|
||||
"exchange|id-xchg-test-pass|id-xchg-test-count"
|
||||
"introspect|id-intr-test-pass|id-intr-test-count"
|
||||
"par|id-par-test-pass|id-par-test-count"
|
||||
)
|
||||
|
||||
cat > "$TMPFILE" << 'EPOCHS'
|
||||
@@ -89,6 +90,7 @@ cat > "$TMPFILE" << 'EPOCHS'
|
||||
(load "lib/identity/tests/session_mgmt.sx")
|
||||
(load "lib/identity/tests/exchange.sx")
|
||||
(load "lib/identity/tests/introspect.sx")
|
||||
(load "lib/identity/tests/par.sx")
|
||||
(epoch 100)
|
||||
(eval "(list id-session-test-pass id-session-test-count)")
|
||||
(epoch 101)
|
||||
@@ -127,6 +129,8 @@ cat > "$TMPFILE" << 'EPOCHS'
|
||||
(eval "(list id-xchg-test-pass id-xchg-test-count)")
|
||||
(epoch 118)
|
||||
(eval "(list id-intr-test-pass id-intr-test-count)")
|
||||
(epoch 119)
|
||||
(eval "(list id-par-test-pass id-par-test-count)")
|
||||
EPOCHS
|
||||
|
||||
timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"language": "identity",
|
||||
"total_pass": 210,
|
||||
"total": 210,
|
||||
"total_pass": 217,
|
||||
"total": 217,
|
||||
"suites": [
|
||||
{"name":"session","pass":11,"total":11,"status":"ok"},
|
||||
{"name":"token","pass":24,"total":24,"status":"ok"},
|
||||
@@ -21,6 +21,7 @@
|
||||
{"name":"delegation","pass":8,"total":8,"status":"ok"},
|
||||
{"name":"session-mgmt","pass":8,"total":8,"status":"ok"},
|
||||
{"name":"exchange","pass":8,"total":8,"status":"ok"},
|
||||
{"name":"introspect","pass":9,"total":9,"status":"ok"}
|
||||
{"name":"introspect","pass":9,"total":9,"status":"ok"},
|
||||
{"name":"par","pass":7,"total":7,"status":"ok"}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# identity-on-sx Scoreboard
|
||||
|
||||
**Total: 210 / 210 tests passing**
|
||||
**Total: 217 / 217 tests passing**
|
||||
|
||||
| | Suite | Pass | Total |
|
||||
|---|---|---|---|
|
||||
@@ -23,6 +23,7 @@
|
||||
| ✅ | session-mgmt | 8 | 8 |
|
||||
| ✅ | exchange | 8 | 8 |
|
||||
| ✅ | introspect | 9 | 9 |
|
||||
| ✅ | par | 7 | 7 |
|
||||
|
||||
|
||||
Generated by `lib/identity/conformance.sh`.
|
||||
|
||||
84
lib/identity/tests/par.sx
Normal file
84
lib/identity/tests/par.sx
Normal file
@@ -0,0 +1,84 @@
|
||||
;; identity/tests/par.sx — pushed authorization requests (PAR, RFC 9126):
|
||||
;; lodge the authorization params up front under a single-use request_uri,
|
||||
;; then redeem it into the normal consent flow. The binding (client,
|
||||
;; redirect, PKCE) carried by the pushed request is enforced at exchange.
|
||||
|
||||
(define id-par-test-count 0)
|
||||
(define id-par-test-pass 0)
|
||||
(define id-par-test-fails (list))
|
||||
|
||||
(define
|
||||
id-par-test
|
||||
(fn
|
||||
(name actual expected)
|
||||
(set! id-par-test-count (+ id-par-test-count 1))
|
||||
(if
|
||||
(= actual expected)
|
||||
(set! id-par-test-pass (+ id-par-test-pass 1))
|
||||
(append! id-par-test-fails {:name name :expected expected :actual actual}))))
|
||||
|
||||
(define idp-ev erlang-eval-ast)
|
||||
(define idpnm (fn (v) (get v :name)))
|
||||
|
||||
(identity-load-oauth!)
|
||||
|
||||
;; ── pushed request redeems into consent ──────────────────────────
|
||||
|
||||
(id-par-test
|
||||
"authorize_pushed on a fresh request_uri asks for consent"
|
||||
(idpnm
|
||||
(idp-ev
|
||||
"O = identity_oauth:start(),\n {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n case identity_oauth:authorize_pushed(O, Ru) of\n {consent_required, _} -> consent_required;\n {error, W} -> W\n end"))
|
||||
"consent_required")
|
||||
|
||||
;; ── full PAR flow ────────────────────────────────────────────────
|
||||
|
||||
(id-par-test
|
||||
"the full PAR flow yields a working token"
|
||||
(idpnm
|
||||
(idp-ev
|
||||
"O = identity_oauth:start(),\n {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n {consent_required, Rq} = identity_oauth:authorize_pushed(O, Ru),\n {code, Cd} = identity_oauth:consent(O, Rq, allow),\n {ok, A, _R} = identity_oauth:exchange(O, Cd, web, uri1, v),\n case identity_oauth:introspect(O, A) of\n {active, _, _, _} -> active;\n {inactive} -> inactive\n end"))
|
||||
"active")
|
||||
|
||||
(id-par-test
|
||||
"the PAR token carries the pushed subject"
|
||||
(idpnm
|
||||
(idp-ev
|
||||
"O = identity_oauth:start(),\n {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n {consent_required, Rq} = identity_oauth:authorize_pushed(O, Ru),\n {code, Cd} = identity_oauth:consent(O, Rq, allow),\n {ok, A, _R} = identity_oauth:exchange(O, Cd, web, uri1, v),\n case identity_oauth:introspect(O, A) of\n {active, Subject, _, _} -> Subject\n end"))
|
||||
"alice")
|
||||
|
||||
;; ── request_uri is single-use ────────────────────────────────────
|
||||
|
||||
(id-par-test
|
||||
"a request_uri cannot be redeemed twice"
|
||||
(idpnm
|
||||
(idp-ev
|
||||
"O = identity_oauth:start(),\n {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n identity_oauth:authorize_pushed(O, Ru),\n case identity_oauth:authorize_pushed(O, Ru) of\n {consent_required, _} -> reused;\n {error, W} -> W\n end"))
|
||||
"invalid_request_uri")
|
||||
|
||||
(id-par-test
|
||||
"an unknown request_uri is rejected"
|
||||
(idpnm
|
||||
(idp-ev
|
||||
"O = identity_oauth:start(),\n Bogus = make_ref(),\n case identity_oauth:authorize_pushed(O, Bogus) of\n {consent_required, _} -> ok;\n {error, W} -> W\n end"))
|
||||
"invalid_request_uri")
|
||||
|
||||
;; ── the pushed binding is still enforced at exchange ─────────────
|
||||
|
||||
(id-par-test
|
||||
"a PAR-issued code still enforces PKCE"
|
||||
(idpnm
|
||||
(idp-ev
|
||||
"O = identity_oauth:start(),\n {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n {consent_required, Rq} = identity_oauth:authorize_pushed(O, Ru),\n {code, Cd} = identity_oauth:consent(O, Rq, allow),\n case identity_oauth:exchange(O, Cd, web, uri1, wrongverif) of\n {ok, _, _} -> ok;\n {error, W} -> W\n end"))
|
||||
"invalid_grant")
|
||||
|
||||
(id-par-test
|
||||
"a PAR-issued code still enforces client binding"
|
||||
(idpnm
|
||||
(idp-ev
|
||||
"O = identity_oauth:start(),\n {ok, Ru} = identity_oauth:push_authorization_request(O, web, uri1, read, alice, v),\n {consent_required, Rq} = identity_oauth:authorize_pushed(O, Ru),\n {code, Cd} = identity_oauth:consent(O, Rq, allow),\n case identity_oauth:exchange(O, Cd, attacker, uri1, v) of\n {ok, _, _} -> ok;\n {error, W} -> W\n end"))
|
||||
"invalid_grant")
|
||||
|
||||
(define
|
||||
id-par-test-summary
|
||||
(str "par " id-par-test-pass "/" id-par-test-count))
|
||||
@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
|
||||
|
||||
## Status (rolling)
|
||||
|
||||
`bash lib/identity/conformance.sh` → **210/210** (4 phases + 11 ext)
|
||||
`bash lib/identity/conformance.sh` → **217/217** (4 phases + 12 ext) — needs `timeout 580`
|
||||
|
||||
## Ground rules
|
||||
|
||||
@@ -84,13 +84,20 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
|
||||
- [x] client registry: public vs confidential clients, client authentication (RFC 6749 §2)
|
||||
- [x] client-credentials grant (RFC 6749 §4.4) + device grant (RFC 8628)
|
||||
- [x] acl-on-sx delegation: identity-gates-before-acl boundary (401 vs 403), stub decider (live Datalog bridge is cross-substrate)
|
||||
- [ ] OAuth `state` (CSRF) + OIDC `nonce` threaded through authorize→exchange
|
||||
- [~] OAuth `state`/OIDC `nonce` — low value in this server-centric model (client-side echo); skipped
|
||||
- [x] pushed authorization requests (PAR, RFC 9126): single-use request_uri → consent
|
||||
- [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
|
||||
- [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)
|
||||
- [x] token exchange (RFC 8693): downscope a token into a new independent token
|
||||
- [x] RFC 7662 full introspection metadata (`introspect_full`: sub/client_id/scope/exp/iat/token_type)
|
||||
|
||||
## Progress log
|
||||
- 2026-06-07 — PAR (ext, RFC 9126): `push_authorization_request` lodges the
|
||||
authorization params under a single-use `request_uri`; `authorize_pushed`
|
||||
redeems it into the normal consent flow. Pushed requests reuse the pending
|
||||
store (`{pushed, Rec}` keyed by the request_uri ref — distinct from consent
|
||||
req_ids, no collision), so no new loop state. The pushed binding (client +
|
||||
redirect + PKCE) is enforced at exchange. New tests/par.sx (7). 210→217.
|
||||
- 2026-06-07 — full introspection (ext, RFC 7662 §2.2): `introspect_full`
|
||||
returns {active, Subject, Client, Scope, Exp, Iat, bearer} for live tokens,
|
||||
{inactive} otherwise — deepening the opaque-token/live-lookup model the
|
||||
|
||||
Reference in New Issue
Block a user