identity: silent SSO prompt=none fast-path — one session, many clients (10 tests)

oauth.sx now owns a session registry. establish creates a subject session; silent_authorize (OIDC prompt=none §3.1.2.1) asks "does this subject have a live session?" — if yes it mints a code skipping consent, bound to client + redirect_uri + PKCE exactly like a consented code; if no it returns login_required (a negative state, not a login redirect). One session serves many clients; end_session closes the fast-path. New tests/sso.sx. 75/75. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 00:45:15 +00:00
parent 20ba152e36
commit 56cf920041
6 changed files with 152 additions and 24 deletions
--- a/lib/identity/scoreboard.json
+++ b/lib/identity/scoreboard.json
@@ -1,12 +1,13 @@
 {
  "language": "identity",
-  "total_pass": 65,
-  "total": 65,
+  "total_pass": 75,
+  "total": 75,
  "suites": [
    {"name":"session","pass":11,"total":11,"status":"ok"},
    {"name":"token","pass":18,"total":18,"status":"ok"},
    {"name":"registry","pass":9,"total":9,"status":"ok"},
    {"name":"api","pass":10,"total":10,"status":"ok"},
-    {"name":"oauth","pass":17,"total":17,"status":"ok"}
+    {"name":"oauth","pass":17,"total":17,"status":"ok"},
+    {"name":"sso","pass":10,"total":10,"status":"ok"}
  ]
 }