# Authority Module with OIDC/OAuth2, DPoP, mTLS ## Module Authority ## Status IMPLEMENTED ## Description Full Authority module with OIDC/OAuth2 flows, DPoP (Demonstration of Proof-of-Possession) handlers, mTLS support, and plugin-based identity provider architecture. ## Implementation Details - **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/`, `src/Authority/StellaOps.Authority/StellaOps.Authority/Security/` - **Key Classes**: - `ClientCredentialsHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/ClientCredentialsHandlers.cs`) - client credentials grant with audit logging via `ClientCredentialsAuditHelper.cs` - `PasswordGrantHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/PasswordGrantHandlers.cs`) - resource owner password credentials grant - `RefreshTokenHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RefreshTokenHandlers.cs`) - refresh token rotation and validation - `DpopHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs`) - DPoP proof-of-possession validation (RFC 9449) - `RevocationHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RevocationHandlers.cs`) - token revocation (RFC 7009) - `DiscoveryHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DiscoveryHandlers.cs`) - OpenID Connect discovery metadata - `TokenPersistenceHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenPersistenceHandlers.cs`) - persists issued tokens to storage - `TokenValidationHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenValidationHandlers.cs`) - validates token integrity and binding - `AuthoritySenderConstraintHelper` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthoritySenderConstraintHelper.cs`) - validates DPoP proof JWTs and sender-constrained tokens - `AuthorityClientCertificateValidator` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthorityClientCertificateValidator.cs`) - validates client certificates for mTLS-bound tokens - `TokenRequestTamperInspector` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/TokenRequestTamperInspector.cs`) - detects tampered token requests - `AuthorityTokenKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityTokenKinds.cs`) - enumerates supported token types - `AuthoritySenderConstraintKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs`) - constraint types (DPoP, mTLS) - **Interfaces**: `IAuthorityClientCertificateValidator` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/IAuthorityClientCertificateValidator.cs`) - **Source**: Feature matrix scan ## E2E Test Plan - [ ] Request an access token via `ClientCredentialsHandlers` and verify a valid JWT is returned with correct claims and scopes - [ ] Request an access token with a DPoP proof header and verify `DpopHandlers` returns a DPoP-bound token (`token_type: DPoP`) - [ ] Attempt to use a DPoP-bound token without the proof header and verify the request is rejected with 401 - [ ] Present a valid client certificate and request an mTLS-bound token; verify `AuthorityClientCertificateValidator` validates it and the `cnf` claim contains the certificate thumbprint - [ ] Verify token refresh via `RefreshTokenHandlers`: obtain a refresh token, exchange it for a new access token, and verify the old refresh token is rotated - [ ] Revoke a token via `RevocationHandlers` and verify it is no longer accepted - [ ] Query the OpenID Connect discovery endpoint and verify `DiscoveryHandlers` returns DPoP and mTLS metadata - [ ] Submit a tampered token request and verify `TokenRequestTamperInspector` rejects it