identity: OAuth client registry — public/confidential clients + redirect allow-list (11 tests)

clients.sx (RFC 6749 §2) — confidential clients must present the correct secret at the token endpoint (wrong → invalid_client); public clients are identified but not authenticated; redirect_uris are pre-registered and checked by exact-match valid_redirect (§3.1.2.2 + Security BCP). Standalone module for now; wiring confidential-client auth into oauth exchange is a follow-up. New tests/clients.sx. 149/149. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 02:03:44 +00:00
parent a43825f25f
commit 9860582b4a
6 changed files with 155 additions and 6 deletions
--- a/lib/identity/conformance.sh
+++ b/lib/identity/conformance.sh
@@ -39,6 +39,7 @@ SUITES=(
  "audit|id-audit-test-pass|id-audit-test-count"
  "federation|id-fed-test-pass|id-fed-test-count"
  "expiry|id-expiry-test-pass|id-expiry-test-count"
+  "clients|id-clients-test-pass|id-clients-test-count"
 )

 cat > "$TMPFILE" << 'EPOCHS'
@@ -59,6 +60,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/cache.sx")
 (load "lib/identity/audit.sx")
 (load "lib/identity/federation.sx")
+(load "lib/identity/clients.sx")
 (load "lib/identity/tests/session.sx")
 (load "lib/identity/tests/token.sx")
 (load "lib/identity/tests/registry.sx")
@@ -70,6 +72,7 @@ cat > "$TMPFILE" << 'EPOCHS'
 (load "lib/identity/tests/audit.sx")
 (load "lib/identity/tests/federation.sx")
 (load "lib/identity/tests/expiry.sx")
+(load "lib/identity/tests/clients.sx")
 (epoch 100)
 (eval "(list id-session-test-pass id-session-test-count)")
 (epoch 101)
@@ -92,6 +95,8 @@ cat > "$TMPFILE" << 'EPOCHS'
 (eval "(list id-fed-test-pass id-fed-test-count)")
 (epoch 110)
 (eval "(list id-expiry-test-pass id-expiry-test-count)")
+(epoch 111)
+(eval "(list id-clients-test-pass id-clients-test-count)")
 EPOCHS

 timeout 600 "$SX_SERVER" < "$TMPFILE" > "$OUTFILE" 2>&1