Overview

Add conformance tests for OAuth scope selection strategies and scope challenge handling in client authentication flows.

Specification References

• Scope Selection Strategy
• Scope Challenge Handling
• Error Handling
• Access Token Usage

Key Requirements from Specification

Scope Selection (SHOULD)

• Clients SHOULD follow principle of least privilege
• Clients SHOULD use scope parameter from WWW-Authenticate header if provided
• If scope not available, use all scopes from scopes_supported in Protected Resource Metadata
• Omit scope parameter if scopes_supported is undefined

Scope Challenge Handling

• Servers SHOULD respond with HTTP 403 for insufficient scope errors
• Servers SHOULD include WWW-Authenticate header with error="insufficient_scope"
• Servers SHOULD include scope parameter with required scopes
• Clients SHOULD respond by requesting new token with increased scopes via step-up authorization
• Clients SHOULD implement retry limits for scope upgrade attempts

401 Handling on Non-Initialize (MUST)

• Clients MUST parse WWW-Authenticate headers
• Clients MUST respond appropriately to HTTP 401 responses
• Authorization MUST be included in every HTTP request

Scenarios to Cover

Positive Tests

1. Client correctly uses scope from WWW-Authenticate header
2. Client falls back to scopes_supported when scope not in header
3. Client handles HTTP 403 with insufficient_scope error
4. Client performs step-up authorization flow successfully
5. Client handles 401 on non-initialize requests

Negative Tests

1. Client fails to include scope from WWW-Authenticate header
2. Client requests excessive scopes beyond what's needed
3. Client doesn't retry after insufficient_scope error
4. Client enters infinite retry loop on scope challenges
5. Client fails to handle 401 on non-initialize requests

Implementation Notes

• Register spec references in src/scenarios/client/auth/spec-references.ts
• Build on existing auth scenarios in src/scenarios/client/auth/
• Follow patterns from basic-dcr.ts and basic-metadata.ts
• Include at least one negative test scenario per requirement

Acceptance Criteria

• Test scenarios cover scope selection strategy per spec
• Test scenarios cover scope challenge handling per spec
• Tests validate 401 response handling on non-initialize requests
• Tests verify client can complete scope challenge flow
• At least one negative test included for each major requirement
• Spec references registered in check definitions file
• All checks properly documented and follow existing patterns