coop/rose-ash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

identity: refresh-token rotation + cascading revocation (token.sx grant-centric, +9 tests)
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 37s
Details

Browse Source 
The grant {Subject,Client,Scope,Status} becomes the unit of authorization
and cascade; access + refresh tokens reference it. issue_grant returns an
access+refresh pair; refresh (RFC 6749 §6) supersedes the presented refresh
token and mints a fresh pair; reusing a superseded refresh token is treated
as theft (RFC 6819 §5.2.2.3) and revokes the whole family, killing the live
descendant. revoke of any token cascades to the grant. All prior token
behaviour preserved. token 18/18, 62/62.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
giles
2026-06-07 00:26:05 +00:00
parent 27f43dbf10
commit baee67f561
5 changed files with 112 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
plans/identity-on-sx.md
View File

@@ -19,7 +19,7 @@ through the event log, all authorization questions delegated to `acl-on-sx`.
## Status (rolling)
`bash lib/identity/conformance.sh`**53/53** (Phase 1 + authz-code flow)
`bash lib/identity/conformance.sh`**62/62** (Phase 1 + authz-code + refresh/rotation/cascade)
## Ground rules
@@ -64,7 +64,7 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
## Phase 2 — OAuth2 flows
- [x] authorization-code flow as a message protocol
- [ ] refresh + rotation; revocation cascades to issued tokens
- [x] refresh + rotation; revocation cascades to issued tokens
- [ ] tests: full code exchange, refresh, revoke-then-use (must fail)
## Phase 3 — Silent SSO + membership
@@ -78,6 +78,14 @@ lib/identity/api.sx ── (identity/login) (identity/grant?) (identity/revoke)
- [ ] tests: audit completeness, cross-instance subject mapping
## Progress log
- 2026-06-07 — `token.sx` grant-centric rewrite: refresh-token rotation
(RFC 6749 §6) + cascading revocation. The grant {Subject,Client,Scope,
Status} is the cascade unit; access + refresh tokens reference it.
`issue_grant` → {ok, Access, Refresh}; `refresh` supersedes the old
refresh + mints a new pair; reusing a superseded refresh token revokes
the whole family (RFC 6819 §5.2.2.3), killing the live descendant.
`revoke` of ANY token (access or refresh) cascades to the grant. All
prior issue/introspect/revoke behaviour preserved. +9 → token 18, 62/62.
- 2026-06-07 — `oauth.sx`: OAuth2 authorization-code flow as a message
protocol (RFC 6749 §4.1) + PKCE (RFC 7636, plain). State machine on one
authz-server process: authorize → {consent_required} → consent →