Skip to content

auth-server: re-introduce granular oidc:client:register capability check #318

Description

@bordumb

Context

When auths-auth-server was open-sourced (#317) and realigned to current crate APIs, the verifier's chain-level capability function verify_chain_with_capability no longer existed — capability scoping moved to commit/agent verification (commit_kel.rs: OutsideAgentScope, agent scope), and Attestation no longer carries role/capabilities.

As a result, domain/verification.rs::verify_keri_receipt currently authorizes any valid KERI chain rooted at the supplied key for RFC 7591 client registration. The granular oidc:client:register capability gate is dropped (flagged in code).

Task

Re-introduce a granular registration-authorization check using the current capability model. Determine how a registering identity proves the oidc:client:register capability now (commit/agent scope, role-based authorization at member-authorization time, or a registration-specific attestation) and enforce it.

Acceptance

  • Registration authorizes only identities granted oidc:client:register (per the current model), failing closed otherwise (per meta_prompt §III).
  • Adversarial test: a valid chain without the capability is rejected (per meta_prompt §V).
  • REGISTRATION_CAPABILITY enforcement is restored or the constant removed.

See crates/auths-auth-server/src/domain/verification.rs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions