identity: client-credentials grant (RFC 6749 §4.4, +9 tests)

oauth.sx now owns a client registry (loop/6) with register_client and the client_credentials grant. A confidential client authenticates and gets a token acting on its own behalf (subject = the client), no refresh token (§4.4.3). A public client is unauthorized_client; any auth failure (unknown client or wrong secret) is invalid_client — no client-existence oracle (§5.2). identity-load-oauth! now pulls its deps. New tests/grants.sx. 158/158. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 02:22:26 +00:00
parent 9860582b4a
commit 3f3459d129
6 changed files with 139 additions and 25 deletions
--- a/lib/identity/scoreboard.json
+++ b/lib/identity/scoreboard.json
@@ -1,7 +1,7 @@
 {
  "language": "identity",
-  "total_pass": 149,
-  "total": 149,
+  "total_pass": 158,
+  "total": 158,
  "suites": [
    {"name":"session","pass":11,"total":11,"status":"ok"},
    {"name":"token","pass":24,"total":24,"status":"ok"},
@@ -14,6 +14,7 @@
    {"name":"audit","pass":11,"total":11,"status":"ok"},
    {"name":"federation","pass":12,"total":12,"status":"ok"},
    {"name":"expiry","pass":8,"total":8,"status":"ok"},
-    {"name":"clients","pass":11,"total":11,"status":"ok"}
+    {"name":"clients","pass":11,"total":11,"status":"ok"},
+    {"name":"grants","pass":9,"total":9,"status":"ok"}
  ]
 }