identity: opaque grant-backed tokens — issue/introspect/revoke (9 tests)

Token table is a process; the token is an opaque make_ref carrying no information. introspect() is a live table lookup every time, so revocation is real (RFC 7009 §2): a revoked token reads {inactive} on the next introspection with no validity window. Reply shapes follow RFC 7662 §2.2 ({active, Subject, Client, Scope} / {inactive}). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-06 23:48:30 +00:00
parent 1c6b80404e
commit ac63501266
6 changed files with 140 additions and 6 deletions
--- a/lib/identity/scoreboard.json
+++ b/lib/identity/scoreboard.json
@@ -1,8 +1,9 @@
 {
  "language": "identity",
-  "total_pass": 11,
-  "total": 11,
+  "total_pass": 20,
+  "total": 20,
  "suites": [
-    {"name":"session","pass":11,"total":11,"status":"ok"}
+    {"name":"session","pass":11,"total":11,"status":"ok"},
+    {"name":"token","pass":9,"total":9,"status":"ok"}
  ]
 }