SEP-2352: authorization-server migration scenario#286
Open
localden wants to merge 1 commit into
Open
Conversation
SEP-2352 requires that client credentials are bound to the issuing authorization server: when PRM authorization_servers changes to a new issuer, clients MUST re-register and MUST NOT reuse the previous AS's client credentials. - Traceability yaml: 3 checks, 3 excluded (internal state / UI) - New auth/authorization-server-migration scenario (draft suite): two auth servers; PRM flips from AS1 to AS2 after the first authenticated request; AS2 asserts it received a fresh /register and never saw AS1's client_id at /authorize or /token - ConformanceOAuthProvider gains invalidateCredentials and bindIssuer so the everything-client can key credentials by issuer (passing example) - everything-client adds an issuer-aware handler for this scenario that re-reads PRM on each 401 and rebinds before re-authorizing - auth-test-reuse-credentials negative client + vitest case
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #285.
Adds the
auth/authorization-server-migrationscenario (draft suite) per SEP-2352.What changed
src/seps/sep-2352.yaml: 3check:, 3excluded:(internal state-keying / UI)src/scenarios/client/auth/authorization-server-migration.ts: two auth servers; PRMauthorization_serversflips from AS₁ → AS₂ after the first authenticated request via the existingcreateServergetAuthServerUrlclosure (no helper changes). AS₂ asserts:sep-2352-reregister-on-as-change— its/registerwas calledsep-2352-no-reuse-on-as-change/sep-2352-no-cross-as-credential-reuse— AS₁'sclient_idnever appeared at/authorizeor/tokenConformanceOAuthProvidergainsinvalidateCredentials(the SDK already calls this) andbindIssuer(issuer)which clears all credentials when the issuer changes; the everything-client adds an issuer-aware handler that re-reads PRM on each 401 and rebinds before re-authorizing.auth-test-reuse-credentials.ts(single-issuer provider, reuses credentials) + vitest casedraftScenariosList,source.introducedIn = DRAFT_PROTOCOL_VERSIONOutput —
node dist/index.js client --scenario auth/authorization-server-migrationeverything-client(issuer-aware)auth-test-reuse-credentialsclient_idand no fresh registrationnpm test: auth suite 29/29; spec-version suite passes.server/all-scenarios.test.tsflakes ~2/3 in the full suite (port contention with auth servers; passes in isolation) — pre-existing, unrelated to this change.