identity: dynamic client registration (RFC 7591, +5 tests)
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 30s
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 30s
register_dynamic generates a client_id + secret server-side and registers
the client, returning {ok, ClientId, Secret} — self-service onboarding
distinct from the manual register_client. A dynamic confidential client can
then use client_credentials; a dynamic public client stays
unauthorized_client. New tests/dynreg.sx. 222/222.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -48,6 +48,7 @@ SUITES=(
|
|||||||
"exchange|id-xchg-test-pass|id-xchg-test-count"
|
"exchange|id-xchg-test-pass|id-xchg-test-count"
|
||||||
"introspect|id-intr-test-pass|id-intr-test-count"
|
"introspect|id-intr-test-pass|id-intr-test-count"
|
||||||
"par|id-par-test-pass|id-par-test-count"
|
"par|id-par-test-pass|id-par-test-count"
|
||||||
|
"dynreg|id-dyn-test-pass|id-dyn-test-count"
|
||||||
)
|
)
|
||||||
|
|
||||||
cat > "$TMPFILE" << 'EPOCHS'
|
cat > "$TMPFILE" << 'EPOCHS'
|
||||||
@@ -91,6 +92,7 @@ cat > "$TMPFILE" << 'EPOCHS'
|
|||||||
(load "lib/identity/tests/exchange.sx")
|
(load "lib/identity/tests/exchange.sx")
|
||||||
(load "lib/identity/tests/introspect.sx")
|
(load "lib/identity/tests/introspect.sx")
|
||||||
(load "lib/identity/tests/par.sx")
|
(load "lib/identity/tests/par.sx")
|
||||||
|
(load "lib/identity/tests/dynreg.sx")
|
||||||
(epoch 100)
|
(epoch 100)
|
||||||
(eval "(list id-session-test-pass id-session-test-count)")
|
(eval "(list id-session-test-pass id-session-test-count)")
|
||||||
(epoch 101)
|
(epoch 101)
|
||||||
@@ -131,6 +133,8 @@ cat > "$TMPFILE" << 'EPOCHS'
|
|||||||
(eval "(list id-intr-test-pass id-intr-test-count)")
|
(eval "(list id-intr-test-pass id-intr-test-count)")
|
||||||
(epoch 119)
|
(epoch 119)
|
||||||
(eval "(list id-par-test-pass id-par-test-count)")
|
(eval "(list id-par-test-pass id-par-test-count)")
|
||||||
|
(epoch 120)
|
||||||
|
(eval "(list id-dyn-test-pass id-dyn-test-count)")
|
||||||
EPOCHS
|
EPOCHS
|
||||||
|
|
||||||
timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1
|
timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1
|
||||||
|
|||||||
File diff suppressed because one or more lines are too long
@@ -1,7 +1,7 @@
|
|||||||
{
|
{
|
||||||
"language": "identity",
|
"language": "identity",
|
||||||
"total_pass": 217,
|
"total_pass": 222,
|
||||||
"total": 217,
|
"total": 222,
|
||||||
"suites": [
|
"suites": [
|
||||||
{"name":"session","pass":11,"total":11,"status":"ok"},
|
{"name":"session","pass":11,"total":11,"status":"ok"},
|
||||||
{"name":"token","pass":24,"total":24,"status":"ok"},
|
{"name":"token","pass":24,"total":24,"status":"ok"},
|
||||||
@@ -22,6 +22,7 @@
|
|||||||
{"name":"session-mgmt","pass":8,"total":8,"status":"ok"},
|
{"name":"session-mgmt","pass":8,"total":8,"status":"ok"},
|
||||||
{"name":"exchange","pass":8,"total":8,"status":"ok"},
|
{"name":"exchange","pass":8,"total":8,"status":"ok"},
|
||||||
{"name":"introspect","pass":9,"total":9,"status":"ok"},
|
{"name":"introspect","pass":9,"total":9,"status":"ok"},
|
||||||
{"name":"par","pass":7,"total":7,"status":"ok"}
|
{"name":"par","pass":7,"total":7,"status":"ok"},
|
||||||
|
{"name":"dynreg","pass":5,"total":5,"status":"ok"}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
# identity-on-sx Scoreboard
|
# identity-on-sx Scoreboard
|
||||||
|
|
||||||
**Total: 217 / 217 tests passing**
|
**Total: 222 / 222 tests passing**
|
||||||
|
|
||||||
| | Suite | Pass | Total |
|
| | Suite | Pass | Total |
|
||||||
|---|---|---|---|
|
|---|---|---|---|
|
||||||
@@ -24,6 +24,7 @@
|
|||||||
| ✅ | exchange | 8 | 8 |
|
| ✅ | exchange | 8 | 8 |
|
||||||
| ✅ | introspect | 9 | 9 |
|
| ✅ | introspect | 9 | 9 |
|
||||||
| ✅ | par | 7 | 7 |
|
| ✅ | par | 7 | 7 |
|
||||||
|
| ✅ | dynreg | 5 | 5 |
|
||||||
|
|
||||||
|
|
||||||
Generated by `lib/identity/conformance.sh`.
|
Generated by `lib/identity/conformance.sh`.
|
||||||
|
|||||||
68
lib/identity/tests/dynreg.sx
Normal file
68
lib/identity/tests/dynreg.sx
Normal file
@@ -0,0 +1,68 @@
|
|||||||
|
;; identity/tests/dynreg.sx — dynamic client registration (RFC 7591): the
|
||||||
|
;; server generates the client_id + secret for self-service onboarding.
|
||||||
|
|
||||||
|
(define id-dyn-test-count 0)
|
||||||
|
(define id-dyn-test-pass 0)
|
||||||
|
(define id-dyn-test-fails (list))
|
||||||
|
|
||||||
|
(define
|
||||||
|
id-dyn-test
|
||||||
|
(fn
|
||||||
|
(name actual expected)
|
||||||
|
(set! id-dyn-test-count (+ id-dyn-test-count 1))
|
||||||
|
(if
|
||||||
|
(= actual expected)
|
||||||
|
(set! id-dyn-test-pass (+ id-dyn-test-pass 1))
|
||||||
|
(append! id-dyn-test-fails {:name name :expected expected :actual actual}))))
|
||||||
|
|
||||||
|
(define idd-ev erlang-eval-ast)
|
||||||
|
(define iddnm (fn (v) (get v :name)))
|
||||||
|
|
||||||
|
(identity-load-oauth!)
|
||||||
|
|
||||||
|
;; ── self-service registration yields usable credentials ──────────
|
||||||
|
|
||||||
|
(id-dyn-test
|
||||||
|
"a dynamically registered confidential client can get a token"
|
||||||
|
(iddnm
|
||||||
|
(idd-ev
|
||||||
|
"O = identity_oauth:start(),\n {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n case identity_oauth:introspect(O, T) of\n {active, _, _, _} -> active;\n {inactive} -> inactive\n end"))
|
||||||
|
"active")
|
||||||
|
|
||||||
|
(id-dyn-test
|
||||||
|
"the token's subject is the generated client id"
|
||||||
|
(iddnm
|
||||||
|
(idd-ev
|
||||||
|
"O = identity_oauth:start(),\n {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n case identity_oauth:introspect(O, T) of\n {active, Sub, _, _} ->\n case Sub =:= Cid of true -> matches; false -> mismatch end;\n {inactive} -> inactive\n end"))
|
||||||
|
"matches")
|
||||||
|
|
||||||
|
;; ── the generated secret is required ─────────────────────────────
|
||||||
|
|
||||||
|
(id-dyn-test
|
||||||
|
"a wrong secret for a dynamic client is invalid_client"
|
||||||
|
(iddnm
|
||||||
|
(idd-ev
|
||||||
|
"O = identity_oauth:start(),\n {ok, Cid, _Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n case identity_oauth:client_credentials(O, Cid, wrongsecret, batch) of\n {ok, _} -> issued;\n {error, W} -> W\n end"))
|
||||||
|
"invalid_client")
|
||||||
|
|
||||||
|
;; ── uniqueness ───────────────────────────────────────────────────
|
||||||
|
|
||||||
|
(id-dyn-test
|
||||||
|
"two registrations yield distinct client ids"
|
||||||
|
(iddnm
|
||||||
|
(idd-ev
|
||||||
|
"O = identity_oauth:start(),\n {ok, C1, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n {ok, C2, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n case C1 =:= C2 of true -> collision; false -> distinct end"))
|
||||||
|
"distinct")
|
||||||
|
|
||||||
|
;; ── a dynamic public client still cannot use client-credentials ──
|
||||||
|
|
||||||
|
(id-dyn-test
|
||||||
|
"a dynamic public client is unauthorized for client-credentials"
|
||||||
|
(iddnm
|
||||||
|
(idd-ev
|
||||||
|
"O = identity_oauth:start(),\n {ok, Cid, Sec} = identity_oauth:register_dynamic(O, public, [uri1]),\n case identity_oauth:client_credentials(O, Cid, Sec, batch) of\n {ok, _} -> issued;\n {error, W} -> W\n end"))
|
||||||
|
"unauthorized_client")
|
||||||
|
|
||||||
|
(define
|
||||||
|
id-dyn-test-summary
|
||||||
|
(str "dynreg " id-dyn-test-pass "/" id-dyn-test-count))
|
||||||
@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
|
|||||||
|
|
||||||
## Status (rolling)
|
## Status (rolling)
|
||||||
|
|
||||||
`bash lib/identity/conformance.sh` → **217/217** (4 phases + 12 ext) — needs `timeout 580`
|
`bash lib/identity/conformance.sh` → **222/222** (4 phases + 13 ext) — needs `timeout 580`
|
||||||
|
|
||||||
## Ground rules
|
## Ground rules
|
||||||
|
|
||||||
@@ -86,12 +86,19 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
|
|||||||
- [x] acl-on-sx delegation: identity-gates-before-acl boundary (401 vs 403), stub decider (live Datalog bridge is cross-substrate)
|
- [x] acl-on-sx delegation: identity-gates-before-acl boundary (401 vs 403), stub decider (live Datalog bridge is cross-substrate)
|
||||||
- [~] OAuth `state`/OIDC `nonce` — low value in this server-centric model (client-side echo); skipped
|
- [~] OAuth `state`/OIDC `nonce` — low value in this server-centric model (client-side echo); skipped
|
||||||
- [x] pushed authorization requests (PAR, RFC 9126): single-use request_uri → consent
|
- [x] pushed authorization requests (PAR, RFC 9126): single-use request_uri → consent
|
||||||
|
- [x] dynamic client registration (RFC 7591): server-generated client_id + secret
|
||||||
- [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
|
- [x] unify `api.sx` over membership + audit (one facade, audited login/logout)
|
||||||
- [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)
|
- [x] subject-wide session management: `sessions(Subject)` + `logout_all` (log out everywhere)
|
||||||
- [x] token exchange (RFC 8693): downscope a token into a new independent token
|
- [x] token exchange (RFC 8693): downscope a token into a new independent token
|
||||||
- [x] RFC 7662 full introspection metadata (`introspect_full`: sub/client_id/scope/exp/iat/token_type)
|
- [x] RFC 7662 full introspection metadata (`introspect_full`: sub/client_id/scope/exp/iat/token_type)
|
||||||
|
|
||||||
## Progress log
|
## Progress log
|
||||||
|
- 2026-06-07 — dynamic client registration (ext, RFC 7591): `register_dynamic`
|
||||||
|
generates a client_id + secret server-side (make_ref each) and registers the
|
||||||
|
client, returning {ok, ClientId, Secret} — self-service onboarding distinct
|
||||||
|
from the manual register_client. A dynamic confidential client can then use
|
||||||
|
client_credentials; a dynamic public client stays unauthorized_client. New
|
||||||
|
tests/dynreg.sx (5). 217→222.
|
||||||
- 2026-06-07 — PAR (ext, RFC 9126): `push_authorization_request` lodges the
|
- 2026-06-07 — PAR (ext, RFC 9126): `push_authorization_request` lodges the
|
||||||
authorization params under a single-use `request_uri`; `authorize_pushed`
|
authorization params under a single-use `request_uri`; `authorize_pushed`
|
||||||
redeems it into the normal consent flow. Pushed requests reuse the pending
|
redeems it into the normal consent flow. Pushed requests reuse the pending
|
||||||
|
|||||||
Reference in New Issue
Block a user