identity: dynamic client registration (RFC 7591, +5 tests)

register_dynamic generates a client_id + secret server-side and registers
the client, returning {ok, ClientId, Secret} — self-service onboarding
distinct from the manual register_client. A dynamic confidential client can
then use client_credentials; a dynamic public client stays
unauthorized_client. New tests/dynreg.sx. 222/222.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

lib/identity/conformance.sh

@@ -48,6 +48,7 @@ SUITES=(
   "exchange|id-xchg-test-pass|id-xchg-test-count"
   "introspect|id-intr-test-pass|id-intr-test-count"
   "par|id-par-test-pass|id-par-test-count"
+  "dynreg|id-dyn-test-pass|id-dyn-test-count"
 )
 
 cat > "$TMPFILE" << 'EPOCHS'
@@ -91,6 +92,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/exchange.sx")
 (load "lib/identity/tests/introspect.sx")
 (load "lib/identity/tests/par.sx")
+(load "lib/identity/tests/dynreg.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -131,6 +133,8 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-intr-test-pass id-intr-test-count)")
 (epoch 119)
 (eval "(list id-par-test-pass id-par-test-count)")
+(epoch 120)
+(eval "(list id-dyn-test-pass id-dyn-test-count)")
 EPOCHS
 
 timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1

lib/identity/scoreboard.json

@@ -1,7 +1,7 @@
 {
   "language": "identity",
-  "total_pass": 217,
-  "total": 217,
+  "total_pass": 222,
+  "total": 222,
   "suites": [
     {"name":"session","pass":11,"total":11,"status":"ok"},
     {"name":"token","pass":24,"total":24,"status":"ok"},
@@ -22,6 +22,7 @@
     {"name":"session-mgmt","pass":8,"total":8,"status":"ok"},
     {"name":"exchange","pass":8,"total":8,"status":"ok"},
     {"name":"introspect","pass":9,"total":9,"status":"ok"},
-    {"name":"par","pass":7,"total":7,"status":"ok"}
+    {"name":"par","pass":7,"total":7,"status":"ok"},
+    {"name":"dynreg","pass":5,"total":5,"status":"ok"}
   ]
 }

lib/identity/scoreboard.md

@@ -1,6 +1,6 @@
 # identity-on-sx Scoreboard
 
-**Total: 217 / 217 tests passing**
+**Total: 222 / 222 tests passing**
 
 |  | Suite | Pass | Total |
 |---|---|---|---|
@@ -24,6 +24,7 @@
 | ✅ | exchange | 8 | 8 |
 | ✅ | introspect | 9 | 9 |
 | ✅ | par | 7 | 7 |
+| ✅ | dynreg | 5 | 5 |
 
 
 Generated by `lib/identity/conformance.sh`.

lib/identity/tests/dynreg.sx

@@ -0,0 +1,68 @@
+;; identity/tests/dynreg.sx — dynamic client registration (RFC 7591): the
+;; server generates the client_id + secret for self-service onboarding.
+
+(define id-dyn-test-count 0)
+(define id-dyn-test-pass 0)
+(define id-dyn-test-fails (list))
+
+(define
+  id-dyn-test
+  (fn
+    (name actual expected)
+    (set! id-dyn-test-count (+ id-dyn-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-dyn-test-pass (+ id-dyn-test-pass 1))
+      (append! id-dyn-test-fails {:name name :expected expected :actual actual}))))
+
+(define idd-ev erlang-eval-ast)
+(define iddnm (fn (v) (get v :name)))
+
+(identity-load-oauth!)
+
+;; ── self-service registration yields usable credentials ──────────
+
+(id-dyn-test
+  "a dynamically registered confidential client can get a token"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-dyn-test
+  "the token's subject is the generated client id"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, Sub, _, _} ->\n           case Sub =:= Cid of true -> matches; false -> mismatch end;\n         {inactive} -> inactive\n       end"))
+  "matches")
+
+;; ── the generated secret is required ─────────────────────────────
+
+(id-dyn-test
+  "a wrong secret for a dynamic client is invalid_client"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, _Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       case identity_oauth:client_credentials(O, Cid, wrongsecret, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
+  "invalid_client")
+
+;; ── uniqueness ───────────────────────────────────────────────────
+
+(id-dyn-test
+  "two registrations yield distinct client ids"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, C1, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, C2, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       case C1 =:= C2 of true -> collision; false -> distinct end"))
+  "distinct")
+
+;; ── a dynamic public client still cannot use client-credentials ──
+
+(id-dyn-test
+  "a dynamic public client is unauthorized for client-credentials"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, public, [uri1]),\n       case identity_oauth:client_credentials(O, Cid, Sec, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
+  "unauthorized_client")
+
+(define
+  id-dyn-test-summary
+  (str "dynreg " id-dyn-test-pass "/" id-dyn-test-count))

plans/identity-on-sx.md

@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
 
 ## Status (rolling)
 
-`bash lib/identity/conformance.sh` → **217/217** (4 phases + 12 ext) — needs `timeout 580`
+`bash lib/identity/conformance.sh` → **222/222** (4 phases + 13 ext) — needs `timeout 580`
 
 ## Ground rules
 
@@ -86,12 +86,19 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
 - [x] acl-on-sx delegation: identity-gates-before-acl boundary (401 vs 403), stub decider (live Datalog bridge is cross-substrate)
 - [~] OAuth `state`/OIDC `nonce` — low value in this server-centric model (client-side echo); skipped
 - [x] pushed authorization requests (PAR, RFC 9126): single-use request_uri → consent
+- [x] dynamic client registration (RFC 7591): server-generated client_id + secret
 - [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
 - [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)
 - [x] token exchange (RFC 8693): downscope a token into a new independent token
 - [x] RFC 7662 full introspection metadata (`introspect_full`: sub/client_id/scope/exp/iat/token_type)
 
 ## Progress log
+- 2026-06-07 — dynamic client registration (ext, RFC 7591): `register_dynamic`
+  generates a client_id + secret server-side (make_ref each) and registers the
+  client, returning {ok, ClientId, Secret} — self-service onboarding distinct
+  from the manual register_client. A dynamic confidential client can then use
+  client_credentials; a dynamic public client stays unauthorized_client. New
+  tests/dynreg.sx (5). 217→222.
 - 2026-06-07 — PAR (ext, RFC 9126): `push_authorization_request` lodges the
   authorization params under a single-use `request_uri`; `authorize_pushed`
   redeems it into the normal consent flow. Pushed requests reuse the pending