feat (auth): add sep-2207 client checks (#166)

* feat: add sep-2207 client checks

* Update description for the offline access test

Co-authored-by: Paul Carleton <paulcarletonjr@gmail.com>

---------

Co-authored-by: Paul Carleton <paulcarletonjr@gmail.com>

Author: wdawson

examples/clients/typescript/everything-client.ts

@@ -146,7 +146,10 @@ registerScenarios(
     'auth/token-endpoint-auth-post',
     'auth/token-endpoint-auth-none',
     // Resource mismatch (client should error when PRM resource doesn't match)
-    'auth/resource-mismatch'
+    'auth/resource-mismatch',
+    // SEP-2207: Offline access / refresh token guidance (draft)
+    'auth/offline-access-scope',
+    'auth/offline-access-not-supported'
   ],
   runAuthClient
 );

src/index.ts

@@ -20,6 +20,7 @@ import {
   listCoreScenarios,
   listExtensionScenarios,
   listBackcompatScenarios,
+  listDraftScenarios,
   listScenariosForSpec,
   listClientScenariosForSpec,
   getScenarioSpecVersions,
@@ -112,6 +113,7 @@ program
           backcompat: listBackcompatScenarios,
           auth: listAuthScenarios,
           metadata: listMetadataScenarios,
+          draft: listDraftScenarios,
           'sep-835': () =>
             listAuthScenarios().filter((name) => name.startsWith('auth/scope-'))
         };
@@ -230,7 +232,7 @@ program
         console.error('\nAvailable client scenarios:');
         listScenarios().forEach((s) => console.error(`  - ${s}`));
         console.error(
-          '\nAvailable suites: all, core, extensions, backcompat, auth, metadata, sep-835'
+          '\nAvailable suites: all, core, extensions, backcompat, auth, metadata, draft, sep-835'
         );
         process.exit(1);
       }

src/scenarios/client/auth/index.test.ts

@@ -1,4 +1,8 @@
-import { authScenariosList, backcompatScenariosList } from './index';
+import {
+  authScenariosList,
+  backcompatScenariosList,
+  draftScenariosList
+} from './index';
 import {
   runClientAgainstScenario,
   InlineClientRunner
@@ -61,6 +65,21 @@ describe('Client Back-compat Scenarios', () => {
   }
 });
 
+describe('Client Draft Scenarios', () => {
+  for (const scenario of draftScenariosList) {
+    test(`${scenario.name} passes`, async () => {
+      const clientFn = getHandler(scenario.name);
+      if (!clientFn) {
+        throw new Error(`No handler registered for scenario: ${scenario.name}`);
+      }
+      const runner = new InlineClientRunner(clientFn);
+      await runClientAgainstScenario(runner, scenario.name, {
+        allowClientError: allowClientErrorScenarios.has(scenario.name)
+      });
+    });
+  }
+});
+
 describe('Negative tests', () => {
   test('bad client requests root PRM location', async () => {
     const runner = new InlineClientRunner(badPrmClient);

src/scenarios/client/auth/index.ts

@@ -24,6 +24,10 @@ import {
 import { ResourceMismatchScenario } from './resource-mismatch';
 import { PreRegistrationScenario } from './pre-registration';
 import { CrossAppAccessCompleteFlowScenario } from './cross-app-access';
+import {
+  OfflineAccessScopeScenario,
+  OfflineAccessNotSupportedScenario
+} from './offline-access';
 
 // Auth scenarios (required for tier 1)
 export const authScenariosList: Scenario[] = [
@@ -37,7 +41,6 @@ export const authScenariosList: Scenario[] = [
   new ClientSecretBasicAuthScenario(),
   new ClientSecretPostAuthScenario(),
   new PublicClientAuthScenario(),
-  new ResourceMismatchScenario(),
   new PreRegistrationScenario()
 ];
 
@@ -53,3 +56,10 @@ export const extensionScenariosList: Scenario[] = [
   new ClientCredentialsBasicScenario(),
   new CrossAppAccessCompleteFlowScenario()
 ];
+
+// Draft scenarios (informational - not scored for tier assessment)
+export const draftScenariosList: Scenario[] = [
+  new ResourceMismatchScenario(),
+  new OfflineAccessScopeScenario(),
+  new OfflineAccessNotSupportedScenario()
+];