identity: "apps with access" — per-subject active-grant listing (+7 tests)
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 36s
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 36s
identity_tokens:grants_for(Subject) lists a subject's active grants as
[{Client, Scope}] (revoked excluded), exposed through the facade as
identity:grants(Subject). Completes the per-subject account-security trio:
sessions (where logged in), grants (which apps have access), history (what
happened). New tests/account.sx. Conformance internal timeout raised to
1200s (22 suites, ~10min — run in background). 229/229.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
|
||||
|
||||
## Status (rolling)
|
||||
|
||||
`bash lib/identity/conformance.sh` → **222/222** (4 phases + 13 ext) — needs `timeout 580`
|
||||
`bash lib/identity/conformance.sh` → **229/229** (4 phases + 14 ext) — slow (~10min, run in background; internal timeout 1200)
|
||||
|
||||
## Ground rules
|
||||
|
||||
@@ -87,12 +87,21 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
|
||||
- [~] OAuth `state`/OIDC `nonce` — low value in this server-centric model (client-side echo); skipped
|
||||
- [x] pushed authorization requests (PAR, RFC 9126): single-use request_uri → consent
|
||||
- [x] dynamic client registration (RFC 7591): server-generated client_id + secret
|
||||
- [x] "apps with access": `grants_for(Subject)` / `identity:grants` (per-subject active grants)
|
||||
- [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
|
||||
- [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)
|
||||
- [x] token exchange (RFC 8693): downscope a token into a new independent token
|
||||
- [x] RFC 7662 full introspection metadata (`introspect_full`: sub/client_id/scope/exp/iat/token_type)
|
||||
|
||||
## Progress log
|
||||
- 2026-06-07 — "apps with access" (ext): `identity_tokens:grants_for(Subject)`
|
||||
lists a subject's ACTIVE grants as `[{Client, Scope}]` (revoked excluded),
|
||||
exposed through the facade as `identity:grants(Subject)`. Completes the
|
||||
per-subject account-security trio: sessions (where), grants (which apps),
|
||||
history (what happened). New tests/account.sx (7). 222→229. NOTE: conformance
|
||||
is now slow (~10 min, 22 suites); run it in the background — internal
|
||||
sx_server timeout raised to 1200s. The suite is at its monolithic-runtime
|
||||
ceiling; further test growth should consider splitting the harness.
|
||||
- 2026-06-07 — dynamic client registration (ext, RFC 7591): `register_dynamic`
|
||||
generates a client_id + secret server-side (make_ref each) and registers the
|
||||
client, returning {ok, ClientId, Secret} — self-service onboarding distinct
|
||||
|
||||
Reference in New Issue
Block a user