save checkpoint

docs/features/checked/authority/authority-module-with-oidc-oauth2-dpop-mtls.md

@@ -0,0 +1,39 @@
+# Authority Module with OIDC/OAuth2, DPoP, mTLS
+
+## Module
+Authority
+
+## Status
+IMPLEMENTED
+
+## Description
+Full Authority module with OIDC/OAuth2 flows, DPoP (Demonstration of Proof-of-Possession) handlers, mTLS support, and plugin-based identity provider architecture.
+
+## Implementation Details
+- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/`, `src/Authority/StellaOps.Authority/StellaOps.Authority/Security/`
+- **Key Classes**:
+  - `ClientCredentialsHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/ClientCredentialsHandlers.cs`) - client credentials grant with audit logging via `ClientCredentialsAuditHelper.cs`
+  - `PasswordGrantHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/PasswordGrantHandlers.cs`) - resource owner password credentials grant
+  - `RefreshTokenHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RefreshTokenHandlers.cs`) - refresh token rotation and validation
+  - `DpopHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs`) - DPoP proof-of-possession validation (RFC 9449)
+  - `RevocationHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RevocationHandlers.cs`) - token revocation (RFC 7009)
+  - `DiscoveryHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DiscoveryHandlers.cs`) - OpenID Connect discovery metadata
+  - `TokenPersistenceHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenPersistenceHandlers.cs`) - persists issued tokens to storage
+  - `TokenValidationHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenValidationHandlers.cs`) - validates token integrity and binding
+  - `AuthoritySenderConstraintHelper` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthoritySenderConstraintHelper.cs`) - validates DPoP proof JWTs and sender-constrained tokens
+  - `AuthorityClientCertificateValidator` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthorityClientCertificateValidator.cs`) - validates client certificates for mTLS-bound tokens
+  - `TokenRequestTamperInspector` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/TokenRequestTamperInspector.cs`) - detects tampered token requests
+  - `AuthorityTokenKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityTokenKinds.cs`) - enumerates supported token types
+  - `AuthoritySenderConstraintKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs`) - constraint types (DPoP, mTLS)
+- **Interfaces**: `IAuthorityClientCertificateValidator` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/IAuthorityClientCertificateValidator.cs`)
+- **Source**: Feature matrix scan
+
+## E2E Test Plan
+- [ ] Request an access token via `ClientCredentialsHandlers` and verify a valid JWT is returned with correct claims and scopes
+- [ ] Request an access token with a DPoP proof header and verify `DpopHandlers` returns a DPoP-bound token (`token_type: DPoP`)
+- [ ] Attempt to use a DPoP-bound token without the proof header and verify the request is rejected with 401
+- [ ] Present a valid client certificate and request an mTLS-bound token; verify `AuthorityClientCertificateValidator` validates it and the `cnf` claim contains the certificate thumbprint
+- [ ] Verify token refresh via `RefreshTokenHandlers`: obtain a refresh token, exchange it for a new access token, and verify the old refresh token is rotated
+- [ ] Revoke a token via `RevocationHandlers` and verify it is no longer accepted
+- [ ] Query the OpenID Connect discovery endpoint and verify `DiscoveryHandlers` returns DPoP and mTLS metadata
+- [ ] Submit a tampered token request and verify `TokenRequestTamperInspector` rejects it