git.stella-ops.org/docs/features/unchecked/authority/authority-module-with-oidc-oauth2-dpop-mtls.md

Authority Module with OIDC/OAuth2, DPoP, mTLS

Module

Authority

Status

IMPLEMENTED

Description

Full Authority module with OIDC/OAuth2 flows, DPoP (Demonstration of Proof-of-Possession) handlers, mTLS support, and plugin-based identity provider architecture.

Implementation Details

• Modules: src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/, src/Authority/StellaOps.Authority/StellaOps.Authority/Security/
• Key Classes:
  • ClientCredentialsHandlers (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/ClientCredentialsHandlers.cs) - client credentials grant with audit logging via ClientCredentialsAuditHelper.cs
  • PasswordGrantHandlers (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/PasswordGrantHandlers.cs) - resource owner password credentials grant
  • RefreshTokenHandlers (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RefreshTokenHandlers.cs) - refresh token rotation and validation
  • DpopHandlers (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs) - DPoP proof-of-possession validation (RFC 9449)
  • RevocationHandlers (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/RevocationHandlers.cs) - token revocation (RFC 7009)
  • DiscoveryHandlers (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DiscoveryHandlers.cs) - OpenID Connect discovery metadata
  • TokenPersistenceHandlers (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenPersistenceHandlers.cs) - persists issued tokens to storage
  • TokenValidationHandlers (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/TokenValidationHandlers.cs) - validates token integrity and binding
  • AuthoritySenderConstraintHelper (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthoritySenderConstraintHelper.cs) - validates DPoP proof JWTs and sender-constrained tokens
  • AuthorityClientCertificateValidator (src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthorityClientCertificateValidator.cs) - validates client certificates for mTLS-bound tokens
  • TokenRequestTamperInspector (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/TokenRequestTamperInspector.cs) - detects tampered token requests
  • AuthorityTokenKinds (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthorityTokenKinds.cs) - enumerates supported token types
  • AuthoritySenderConstraintKinds (src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs) - constraint types (DPoP, mTLS)
• Interfaces: IAuthorityClientCertificateValidator (src/Authority/StellaOps.Authority/StellaOps.Authority/Security/IAuthorityClientCertificateValidator.cs)
• Source: Feature matrix scan

E2E Test Plan

• Request an access token via ClientCredentialsHandlers and verify a valid JWT is returned with correct claims and scopes
• Request an access token with a DPoP proof header and verify DpopHandlers returns a DPoP-bound token (token_type: DPoP)
• Attempt to use a DPoP-bound token without the proof header and verify the request is rejected with 401
• Present a valid client certificate and request an mTLS-bound token; verify AuthorityClientCertificateValidator validates it and the cnf claim contains the certificate thumbprint
• Verify token refresh via RefreshTokenHandlers: obtain a refresh token, exchange it for a new access token, and verify the old refresh token is rotated
• Revoke a token via RevocationHandlers and verify it is no longer accepted
• Query the OpenID Connect discovery endpoint and verify DiscoveryHandlers returns DPoP and mTLS metadata
• Submit a tampered token request and verify TokenRequestTamperInspector rejects it