stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/features/unchecked/authority/authority-module-with-oidc-oauth2-dpop-mtls.md Normal file
View File

@@ -0,0 +1,39 @@
# Authority Module with OIDC/OAuth2, DPoP, mTLS
## Module
Authority
## Status
IMPLEMENTED
## Description
Full Authority module with OIDC/OAuth2 flows, DPoP (Demonstration of Proof-of-Possession) handlers, mTLS support, and plugin-based identity provider architecture.
## Implementation Details
- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/`, `src/Authority/StellaOps.Authority/StellaOps.Authority/Security/`
- **Key Classes**:
- `ClientCredentialsHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/ClientCredentialsHandlers.cs`) - client credentials grant with audit logging via `ClientCredentialsAuditHelper.cs`
- `PasswordGrantHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/PasswordGrantHandlers.cs`) - resource owner password credentials grant
- `RefreshTokenHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RefreshTokenHandlers.cs`) - refresh token rotation and validation
- `DpopHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs`) - DPoP proof-of-possession validation (RFC 9449)
- `RevocationHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RevocationHandlers.cs`) - token revocation (RFC 7009)
- `DiscoveryHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DiscoveryHandlers.cs`) - OpenID Connect discovery metadata
- `TokenPersistenceHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenPersistenceHandlers.cs`) - persists issued tokens to storage
- `TokenValidationHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenValidationHandlers.cs`) - validates token integrity and binding
- `AuthoritySenderConstraintHelper` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthoritySenderConstraintHelper.cs`) - validates DPoP proof JWTs and sender-constrained tokens
- `AuthorityClientCertificateValidator` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthorityClientCertificateValidator.cs`) - validates client certificates for mTLS-bound tokens
- `TokenRequestTamperInspector` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/TokenRequestTamperInspector.cs`) - detects tampered token requests
- `AuthorityTokenKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityTokenKinds.cs`) - enumerates supported token types
- `AuthoritySenderConstraintKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs`) - constraint types (DPoP, mTLS)
- **Interfaces**: `IAuthorityClientCertificateValidator` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/IAuthorityClientCertificateValidator.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Request an access token via `ClientCredentialsHandlers` and verify a valid JWT is returned with correct claims and scopes
- [ ] Request an access token with a DPoP proof header and verify `DpopHandlers` returns a DPoP-bound token (`token_type: DPoP`)
- [ ] Attempt to use a DPoP-bound token without the proof header and verify the request is rejected with 401
- [ ] Present a valid client certificate and request an mTLS-bound token; verify `AuthorityClientCertificateValidator` validates it and the `cnf` claim contains the certificate thumbprint
- [ ] Verify token refresh via `RefreshTokenHandlers`: obtain a refresh token, exchange it for a new access token, and verify the old refresh token is rotated
- [ ] Revoke a token via `RevocationHandlers` and verify it is no longer accepted
- [ ] Query the OpenID Connect discovery endpoint and verify `DiscoveryHandlers` returns DPoP and mTLS metadata
- [ ] Submit a tampered token request and verify `TokenRequestTamperInspector` rejects it