identity: dynamic client registration (RFC 7591, +5 tests)

register_dynamic generates a client_id + secret server-side and registers the client, returning {ok, ClientId, Secret} — self-service onboarding distinct from the manual register_client. A dynamic confidential client can then use client_credentials; a dynamic public client stays unauthorized_client. New tests/dynreg.sx. 222/222. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 04:48:45 +00:00
parent 398209d484
commit 8130521f02
6 changed files with 93 additions and 15 deletions
--- a/lib/identity/conformance.sh
+++ b/lib/identity/conformance.sh
@@ -48,6 +48,7 @@ SUITES=(
  "exchange|id-xchg-test-pass|id-xchg-test-count"
  "introspect|id-intr-test-pass|id-intr-test-count"
  "par|id-par-test-pass|id-par-test-count"
+  "dynreg|id-dyn-test-pass|id-dyn-test-count"
 )

 cat > "$TMPFILE" << 'EPOCHS'
@@ -91,6 +92,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/exchange.sx")
 (load "lib/identity/tests/introspect.sx")
 (load "lib/identity/tests/par.sx")
+(load "lib/identity/tests/dynreg.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -131,6 +133,8 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-intr-test-pass id-intr-test-count)")
 (epoch 119)
 (eval "(list id-par-test-pass id-par-test-count)")
+(epoch 120)
+(eval "(list id-dyn-test-pass id-dyn-test-count)")
 EPOCHS

 timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1
--- a/lib/identity/oauth.sx
+++ b/lib/identity/oauth.sx
--- a/lib/identity/scoreboard.json
+++ b/lib/identity/scoreboard.json
@@ -1,7 +1,7 @@
 {
  "language": "identity",
-  "total_pass": 217,
-  "total": 217,
+  "total_pass": 222,
+  "total": 222,
  "suites": [
    {"name":"session","pass":11,"total":11,"status":"ok"},
    {"name":"token","pass":24,"total":24,"status":"ok"},
@@ -22,6 +22,7 @@
    {"name":"session-mgmt","pass":8,"total":8,"status":"ok"},
    {"name":"exchange","pass":8,"total":8,"status":"ok"},
    {"name":"introspect","pass":9,"total":9,"status":"ok"},
-    {"name":"par","pass":7,"total":7,"status":"ok"}
+    {"name":"par","pass":7,"total":7,"status":"ok"},
+    {"name":"dynreg","pass":5,"total":5,"status":"ok"}
  ]
 }
--- a/lib/identity/scoreboard.md
+++ b/lib/identity/scoreboard.md
@@ -1,6 +1,6 @@
 # identity-on-sx Scoreboard

-**Total: 217 / 217 tests passing**
+**Total: 222 / 222 tests passing**

 |  | Suite | Pass | Total |
 |---|---|---|---|
@@ -24,6 +24,7 @@
 | ✅ | exchange | 8 | 8 |
 | ✅ | introspect | 9 | 9 |
 | ✅ | par | 7 | 7 |
+| ✅ | dynreg | 5 | 5 |


 Generated by `lib/identity/conformance.sh`.
--- a/lib/identity/tests/dynreg.sx
+++ b/lib/identity/tests/dynreg.sx
@@ -0,0 +1,68 @@
+;; identity/tests/dynreg.sx — dynamic client registration (RFC 7591): the
+;; server generates the client_id + secret for self-service onboarding.
+
+(define id-dyn-test-count 0)
+(define id-dyn-test-pass 0)
+(define id-dyn-test-fails (list))
+
+(define
+  id-dyn-test
+  (fn
+    (name actual expected)
+    (set! id-dyn-test-count (+ id-dyn-test-count 1))
+    (if
+      (= actual expected)
+      (set! id-dyn-test-pass (+ id-dyn-test-pass 1))
+      (append! id-dyn-test-fails {:name name :expected expected :actual actual}))))
+
+(define idd-ev erlang-eval-ast)
+(define iddnm (fn (v) (get v :name)))
+
+(identity-load-oauth!)
+
+;; ── self-service registration yields usable credentials ──────────
+
+(id-dyn-test
+  "a dynamically registered confidential client can get a token"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
+  "active")
+
+(id-dyn-test
+  "the token's subject is the generated client id"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, Sub, _, _} ->\n           case Sub =:= Cid of true -> matches; false -> mismatch end;\n         {inactive} -> inactive\n       end"))
+  "matches")
+
+;; ── the generated secret is required ─────────────────────────────
+
+(id-dyn-test
+  "a wrong secret for a dynamic client is invalid_client"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, _Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       case identity_oauth:client_credentials(O, Cid, wrongsecret, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
+  "invalid_client")
+
+;; ── uniqueness ───────────────────────────────────────────────────
+
+(id-dyn-test
+  "two registrations yield distinct client ids"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, C1, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, C2, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       case C1 =:= C2 of true -> collision; false -> distinct end"))
+  "distinct")
+
+;; ── a dynamic public client still cannot use client-credentials ──
+
+(id-dyn-test
+  "a dynamic public client is unauthorized for client-credentials"
+  (iddnm
+    (idd-ev
+      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, public, [uri1]),\n       case identity_oauth:client_credentials(O, Cid, Sec, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
+  "unauthorized_client")
+
+(define
+  id-dyn-test-summary
+  (str "dynreg " id-dyn-test-pass "/" id-dyn-test-count))