All Scenarios

154

Passed Scenarios

149

Failed Scenarios

0

Undefined Scenarios

5

Execution Time: 4s 141ms

Expand All | Collapse All

Feature:Admin GDPR User Deletion 9ms 5

As a system administrator
I want to delete users and their sessions for GDPR compliance
So that I can fulfill data erasure requests

@admin @gdpr
Scenario:
Admin successfully deletes user and sessions
3ms 15

Given the ID Gateway is running < 1ms

When I initiate authorization with email "gdpr-delete@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And the response should contain "access_token" < 1ms

When I request user info with the access token < 1ms

Then the response status should be 200 < 1ms

And the response field "email" should equal "gdpr-delete@example.com" < 1ms

And I save the user ID from the userinfo response < 1ms

When I delete the user via admin API < 1ms

Then the response status should be 204 < 1ms

When I attempt to get user info with the saved access token < 1ms

Then the response status should be 401 < 1ms

@admin @gdpr @validation
Scenario:
Admin deletion with invalid user ID returns 400
< 1ms 4

Given the ID Gateway is running < 1ms

When I attempt to delete user with ID "invalid-uuid" via admin API < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

@admin @gdpr @validation
Scenario:
Admin deletion with non-existent user ID returns 404
< 1ms 4

Given the ID Gateway is running < 1ms

When I attempt to delete user with ID "11111111-1111-1111-1111-111111111111" via admin API < 1ms

Then the response status should be 404 < 1ms

And the response field "error" should equal "not_found" < 1ms

@admin @gdpr @security
Scenario:
Admin deletion without admin token returns 401
3ms 12

Given the ID Gateway is running < 1ms

When I initiate authorization with email "unauthorized-delete@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens 1ms

Then the response status should be 200 < 1ms

When I request user info with the access token < 1ms

Then the response status should be 200 < 1ms

And I save the user ID from the userinfo response < 1ms

When I delete the user via admin API with token "" < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @gdpr @security
Scenario:
Admin deletion with wrong admin token returns 401
1ms 12

Given the ID Gateway is running < 1ms

When I initiate authorization with email "wrong-token-delete@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

When I request user info with the access token < 1ms

Then the response status should be 200 < 1ms

And I save the user ID from the userinfo response < 1ms

When I delete the user via admin API with token "wrong-admin-token" < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

Feature:Consent Management 2s 74ms 28

As an authenticated user
I want to manage my consent for different purposes
So that I can control how my data is processed

@consent @normal
Scenario:
Grant consent for multiple purposes
1ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I grant consent for purposes "login,registry_check,vc_issuance" < 1ms

Then the response status should be 200 < 1ms

And the response should contain "granted" < 1ms

And the response field "message" should contain "Consent granted for 3 purposes" < 1ms

And each granted consent should have "status" equal to "active" < 1ms

And each granted consent should have "granted_at" < 1ms

And each granted consent should have "expires_at" < 1ms

@consent @normal
Scenario:
List all consents
1ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" 1ms

Given I grant consent for purposes "login,registry_check" < 1ms

When I list my consents < 1ms

Then the response status should be 200 < 1ms

And the response should contain "consents" < 1ms

And the response should contain at least 2 consent records < 1ms

@consent @normal
Scenario:
Revoke specific consent
2ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I grant consent for purposes "login,registry_check,vc_issuance" < 1ms

When I revoke consent for purposes "registry_check" < 1ms

Then the response status should be 200 < 1ms

And the response should contain "revoked" < 1ms

And the response field "message" should contain "Consent revoked for 1 purpose" < 1ms

And the revoked consent should have "status" equal to "revoked" < 1ms

And the revoked consent should have "revoked_at" < 1ms

@consent @normal
Scenario:
List consents shows correct statuses after revocation
2ms 8

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I grant consent for purposes "login,registry_check" < 1ms

And I revoke consent for purposes "registry_check" < 1ms

When I list my consents < 1ms

Then the response status should be 200 < 1ms

And the consent for purpose "login" should have status "active" < 1ms

And the consent for purpose "registry_check" should have status "revoked" < 1ms

@consent @normal
Scenario:
Re-grant previously revoked consent
2ms 8

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" 1ms

Given I grant consent for purposes "login" < 1ms

And I revoke consent for purposes "login" < 1ms

When I grant consent for purposes "login" < 1ms

Then the response status should be 200 < 1ms

And the consent for purpose "login" should have status "active" < 1ms

And the consent should have a new "granted_at" timestamp < 1ms

@consent @validation
Scenario:
Grant consent without authentication
2ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" 1ms

When I grant consent for purposes "login" without authentication 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@consent @validation
Scenario:
Grant consent with empty purposes array
1ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I POST to "/v1/auth/consent" with empty purposes array < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@consent @validation
Scenario:
Grant consent with invalid purpose
2ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I grant consent for purposes "invalid_purpose" 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@consent @validation
Scenario:
Revoke consent without authentication
1ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I revoke consent for purposes "login" without authentication < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@consent @validation
Scenario:
Revoke consent with invalid purpose
1ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I revoke consent for purposes "invalid_purpose" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@consent @validation
Scenario:
List consents without authentication
1ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I GET "/v1/auth/consent" without authorization < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@consent @idempotency
Scenario:
Revoke already revoked consent is idempotent
2ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I grant consent for purposes "login" < 1ms

And I revoke consent for purposes "login" < 1ms

When I revoke consent for purposes "login" < 1ms

Then the response status should be 200 < 1ms

@consent @idempotency
Scenario:
Grant consent renews existing active consent
2s 2ms 8

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I grant consent for purposes "login" < 1ms

And I wait 2 seconds 2s

When I grant consent for purposes "login" < 1ms

Then the response status should be 200 < 1ms

And the consent should have a new "granted_at" timestamp < 1ms

And the consent should have a new "expires_at" timestamp < 1ms

@consent @filter
Scenario:
Filter consents by status - active only
3ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I delete all my consents < 1ms

And I grant consent for purposes "login,registry_check" < 1ms

And I revoke consent for purposes "registry_check" < 1ms

When I list my consents filtered by status "active" 1ms

Then the response status should be 200 < 1ms

And all consents should have status "active" < 1ms

And the response should contain 1 consent records < 1ms

@consent @filter
Scenario:
Filter consents by status - revoked only
2ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I delete all my consents < 1ms

And I grant consent for purposes "login,registry_check" < 1ms

And I revoke consent for purposes "registry_check" < 1ms

When I list my consents filtered by status "revoked" < 1ms

Then the response status should be 200 < 1ms

And all consents should have status "revoked" < 1ms

And the response should contain 1 consent records < 1ms

@consent @filter
Scenario:
Filter consents by purpose
2ms 8

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I delete all my consents < 1ms

And I grant consent for purposes "login,registry_check,vc_issuance" < 1ms

When I list my consents filtered by purpose "login" < 1ms

Then the response status should be 200 < 1ms

And all consents should have purpose "login" < 1ms

And the response should contain 1 consent records < 1ms

@consent @filter
Scenario:
Filter consents by status and purpose combined
3ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" 1ms

Given I delete all my consents < 1ms

And I grant consent for purposes "login,registry_check" < 1ms

And I revoke consent for purposes "login" < 1ms

When I list my consents filtered by status "active" and purpose "registry_check" < 1ms

Then the response status should be 200 < 1ms

And all consents should have status "active" < 1ms

And all consents should have purpose "registry_check" < 1ms

@consent @filter @validation
Scenario:
Filter with invalid status returns error
1ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I list my consents filtered by status "invalid_status" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@consent @filter @validation
Scenario:
Filter with invalid purpose returns error
1ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I list my consents filtered by purpose "invalid_purpose" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@consent @purposes
Scenario:
Grant consent for all four purposes
2ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I grant consent for purposes "login,registry_check,vc_issuance,decision_evaluation" < 1ms

Then the response status should be 200 < 1ms

And the response field "message" should contain "Consent granted for 4 purposes" < 1ms

And the consent for purpose "login" should have status "active" < 1ms

And the consent for purpose "registry_check" should have status "active" < 1ms

And the consent for purpose "vc_issuance" should have status "active" < 1ms

And the consent for purpose "decision_evaluation" should have status "active" < 1ms

@consent @purposes
Scenario:
Grant and revoke decision_evaluation consent
2ms 8

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I grant consent for purposes "decision_evaluation" < 1ms

When I revoke consent for purposes "decision_evaluation" < 1ms

Then the response status should be 200 < 1ms

And the revoked consent should have "status" equal to "revoked" < 1ms

When I list my consents < 1ms

Then the consent for purpose "decision_evaluation" should have status "revoked" < 1ms

@consent @purposes
Scenario:
Re-grant decision_evaluation after revocation
2ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I grant consent for purposes "decision_evaluation" < 1ms

And I revoke consent for purposes "decision_evaluation" < 1ms

When I grant consent for purposes "decision_evaluation" < 1ms

Then the response status should be 200 < 1ms

And the consent for purpose "decision_evaluation" should have status "active" < 1ms

@consent @edge
Scenario:
Revoke non-existent consent is idempotent
1ms 4

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I revoke consent for purposes "vc_issuance" < 1ms

Then the response status should be 200 < 1ms

@consent @edge
Scenario:
List consents when none granted returns empty array
2ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I am authenticated as "fresh-consent-user@example.com" < 1ms

When I list my consents < 1ms

Then the response status should be 200 < 1ms

And the response should contain "consents" < 1ms

And the response should contain 0 consent records < 1ms

@consent @gdpr
Scenario:
Delete all consents removes all records
3ms 10

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I am authenticated as "gdpr-delete-test@example.com" < 1ms

And I grant consent for purposes "login,registry_check,vc_issuance" < 1ms

When I delete all my consents < 1ms

Then the response status should be 200 < 1ms

And the response field "message" should equal "All consents deleted" < 1ms

When I list my consents < 1ms

Then the response status should be 200 < 1ms

And the response should contain 0 consent records < 1ms

@consent @gdpr
Scenario:
Delete all consents removes both active and revoked records
4ms 10

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I am authenticated as "gdpr-mixed-test@example.com" < 1ms

And I grant consent for purposes "login,registry_check" < 1ms

And I revoke consent for purposes "registry_check" 1ms

When I delete all my consents < 1ms

Then the response status should be 200 < 1ms

When I list my consents < 1ms

Then the response status should be 200 < 1ms

And the response should contain 0 consent records < 1ms

@consent @gdpr @validation
Scenario:
Delete all consents without authentication
1ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

When I DELETE "/v1/auth/consent" without authorization < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@consent @enforcement
Scenario:
Operations requiring consent fail when consent revoked
14ms 10

Given the ID Gateway is running < 1ms

And I am authenticated as "consent-test@example.com" < 1ms

Given I am authenticated as "enforcement-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "ENFORCE123" 11ms

Then the response status should be 200 < 1ms

When I revoke consent for purposes "registry_check" < 1ms

And I lookup citizen record for national_id "ENFORCE456" < 1ms

Then the response status should be 403 < 1ms

And the response field "error" should equal "invalid_consent" < 1ms

Feature:Decision Engine Evaluation 127ms 13

As an authenticated user
I want to evaluate identity decisions based on business rules
So that I can verify compliance requirements without handling PII

@decision @age-verification @normal
Scenario:
Age verification passes with conditions when no credential
13ms 12

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

Given the citizen registry contains a record for "NOCRED123456" with birth date "1990-01-15" < 1ms

When I evaluate "age_verification" for national_id "NOCRED123456" 11ms

Then the response status should be 200 < 1ms

And the decision status should be "pass_with_conditions" < 1ms

And the decision reason should be "missing_credential" < 1ms

And the conditions should include "obtain_age_credential" < 1ms

And the evidence field "is_over_18" should be true < 1ms

And the evidence field "citizen_valid" should be true < 1ms

And the evidence field "has_credential" should be false < 1ms

@decision @age-verification @normal
Scenario:
Age verification passes with existing credential
24ms 15

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

Given I am authenticated as "decision-with-vc@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check,vc_issuance" < 1ms

And the citizen registry contains a record for "ADULT123456" with birth date "1990-01-15" < 1ms

And I request an AgeOver18 credential with national_id "ADULT123456" 10ms

When I evaluate "age_verification" for national_id "ADULT123456" 10ms

Then the response status should be 200 < 1ms

And the decision status should be "pass" < 1ms

And the decision reason should be "all_checks_passed" < 1ms

And the evidence field "is_over_18" should be true < 1ms

And the evidence field "citizen_valid" should be true < 1ms

And the evidence field "has_credential" should be true < 1ms

And the evidence field "sanctions_listed" should be false < 1ms

@decision @age-verification @failure
Scenario:
Age verification fails when user is sanctioned (Rule 1)
12ms 10

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

Given the citizen registry contains a record for "SANCTIONED123" with birth date "1990-01-15" < 1ms

And the sanctions registry marks "SANCTIONED123" as listed < 1ms

When I evaluate "age_verification" for national_id "SANCTIONED123" 11ms

Then the response status should be 200 < 1ms

And the decision status should be "fail" < 1ms

And the decision reason should be "sanctioned" < 1ms

And the evidence field "sanctions_listed" should be true < 1ms

@decision @age-verification @failure
Scenario:
Age verification fails when citizen record is invalid (Rule 2)
13ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

Given the citizen registry contains an invalid record for "INVALID123456" < 1ms

When I evaluate "age_verification" for national_id "INVALID123456" 11ms

Then the response status should be 200 < 1ms

And the decision status should be "fail" < 1ms

And the decision reason should be "invalid_citizen" < 1ms

And the evidence field "citizen_valid" should be false < 1ms

@decision @age-verification @failure
Scenario:
Age verification fails when user is underage (Rule 3)
12ms 10

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

Given the citizen registry contains a record for "MINOR123456" with birth date making them 16 years old < 1ms

When I evaluate "age_verification" for national_id "MINOR123456" 11ms

Then the response status should be 200 < 1ms

And the decision status should be "fail" < 1ms

And the decision reason should be "underage" < 1ms

And the evidence field "is_over_18" should be false < 1ms

And the evidence field "citizen_valid" should be true < 1ms

@decision @age-verification @edge
Scenario:
Age verification passes for user exactly 18 years old
12ms 8

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

Given the citizen registry contains a record for "EXACT18" with birth date making them exactly 18 years old < 1ms

When I evaluate "age_verification" for national_id "EXACT18" 11ms

Then the response status should be 200 < 1ms

And the decision status should be "pass_with_conditions" < 1ms

And the evidence field "is_over_18" should be true < 1ms

@decision @sanctions @normal
Scenario:
Sanctions screening passes when not listed
13ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

Given the citizen registry contains a record for "CLEAN123456" with birth date "1990-01-15" < 1ms

When I evaluate "sanctions_screening" for national_id "CLEAN123456" 10ms

Then the response status should be 200 < 1ms

And the decision status should be "pass" < 1ms

And the decision reason should be "not_sanctioned" < 1ms

And the evidence field "sanctions_listed" should be false < 1ms

@decision @sanctions @failure
Scenario:
Sanctions screening fails when listed
12ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

Given the sanctions registry marks "SANCTIONED999" as listed < 1ms

When I evaluate "sanctions_screening" for national_id "SANCTIONED999" 11ms

Then the response status should be 200 < 1ms

And the decision status should be "fail" < 1ms

And the decision reason should be "sanctioned" < 1ms

And the evidence field "sanctions_listed" should be true < 1ms

@decision @consent @failure
Scenario:
Evaluation fails without decision_evaluation consent
2ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

Given I have revoked consent for purposes "decision_evaluation" < 1ms

When I evaluate "age_verification" for national_id "TEST123456" < 1ms

Then the response status should be 403 < 1ms

@decision @validation
Scenario:
Evaluation fails with invalid purpose
1ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

When I evaluate "invalid_purpose" for national_id "TEST123456" < 1ms

Then the response status should be 400 < 1ms

And the response should contain "unsupported purpose" < 1ms

@decision @validation
Scenario:
Evaluation fails without national_id
3ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" 2ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

When I evaluate "age_verification" without national_id < 1ms

Then the response status should be 400 < 1ms

And the response should contain "national_id is required" < 1ms

@decision @validation
Scenario:
Evaluation fails without authentication
1ms 5

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

When I evaluate "age_verification" for national_id "TEST123456" without authentication < 1ms

Then the response status should be 401 < 1ms

@decision @validation
Scenario:
Evaluation fails with empty purpose
1ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "decision-test@example.com" < 1ms

And I grant consent for purposes "decision_evaluation,registry_check" < 1ms

When I evaluate "" for national_id "TEST123456" < 1ms

Then the response status should be 400 < 1ms

And the response should contain "purpose is required" < 1ms

Feature:OAuth2 Authorization Code Flow - Normal Path 9ms 10

As a client application
I want to authenticate users via OAuth2
So that I can access protected resources

@normal
Scenario:
Complete OAuth2 authorization code flow
2ms 17

Given the ID Gateway is running < 1ms

When I initiate authorization with email "test@example.com" and scopes "openid,profile" < 1ms

Then the response status should be 200 < 1ms

And the response should contain an authorization code < 1ms

And the response field "redirect_uri" should contain "code=" < 1ms

And the response field "redirect_uri" should contain "state=" < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And the response should contain "access_token" < 1ms

And the response should contain "id_token" < 1ms

And the response should contain "refresh_token" < 1ms

And the response should contain "expires_in" < 1ms

When I request user info with the access token < 1ms

Then the response status should be 200 < 1ms

And the response should contain "email" < 1ms

And the response field "email" should equal "test@example.com" < 1ms

@normal @scope
Scenario:
Scope downgrade - requesting subset of allowed scopes succeeds
1ms 8

Given the ID Gateway is running < 1ms

When I initiate authorization with email "scope-downgrade@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And the response should contain an authorization code < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And the response should contain "access_token" < 1ms

@normal @scope
Scenario:
Default scope applied when scopes omitted
1ms 8

Given the ID Gateway is running < 1ms

When I initiate authorization with email "default-scope@example.com" without scopes < 1ms

Then the response status should be 200 < 1ms

And the response should contain an authorization code < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And the response field "scope" should equal "openid" < 1ms

@normal @validation
Scenario:
Authorization request validation - missing required fields
< 1ms 4

Given the ID Gateway is running < 1ms

When I POST to "/v1/auth/authorize" with empty body < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@normal @validation
Scenario:
Authorization request validation - invalid email
< 1ms 4

Given the ID Gateway is running < 1ms

When I POST to "/v1/auth/authorize" with invalid email "not-an-email" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@normal @validation
Scenario:
Token exchange validation - invalid authorization code (RFC 6749 §5.2)
< 1ms 4

Given the ID Gateway is running < 1ms

When I exchange invalid authorization code "invalid-code-12345" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "invalid_grant" < 1ms

@normal @validation
Scenario:
Token exchange validation - invalid grant type
< 1ms 4

Given the ID Gateway is running < 1ms

When I POST to "/v1/auth/token" with grant_type "password" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

@normal @validation
Scenario:
Authorization code reuse prevention (RFC 6749 §5.2)
2ms 9

Given the ID Gateway is running < 1ms

When I initiate authorization with email "reuse-test@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

When I attempt to reuse the same authorization code < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "invalid_grant" < 1ms

@normal @validation
Scenario:
UserInfo endpoint - missing authorization header
< 1ms 4

Given the ID Gateway is running < 1ms

When I GET "/v1/auth/userinfo" without authorization < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@normal @validation
Scenario:
UserInfo endpoint - invalid bearer token
< 1ms 4

Given the ID Gateway is running < 1ms

When I GET "/v1/auth/userinfo" with invalid token "invalid-token-xyz" < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

Feature:OAuth2 Security - Client and Tenant Validation 7ms 8

As a security engineer
I want to validate that unknown and invalid clients are rejected
So that the authorization server only serves registered clients

@security @client-validation
Scenario:
Unknown client_id rejected (RFC 6749 §4.1.2.1)
< 1ms 4

Given the ID Gateway is running < 1ms

When I request authorization with unknown client_id "unknown-client-xyz" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "invalid_client" < 1ms

@security @client-validation
Scenario:
Empty client_id rejected
< 1ms 4

Given the ID Gateway is running < 1ms

When I request authorization with empty client_id < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@security @client-validation
Scenario:
Redirect URI not in allowlist rejected
< 1ms 4

Given the ID Gateway is running < 1ms

When I initiate authorization with email "redirect-uri-invalid@example.com" and scopes "openid" and redirect uri "http://evil.example.com/callback" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

@security @client-validation
Scenario:
Requested scopes outside client allowlist rejected
< 1ms 4

Given the ID Gateway is running < 1ms

When I initiate authorization with email "scope-invalid@example.com" and scopes "openid,admin" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

@security @revocation
Scenario:
Revocation with forged JWT signature returns 200 (RFC 7009)
< 1ms 5

Given the ID Gateway is running < 1ms

Given a JWT with invalid signature "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.invalid_signature" < 1ms

When I revoke the forged token < 1ms

Then the response status should be 200 < 1ms

And the response field "revoked" should equal "true" < 1ms

@security @revocation
Scenario:
Revocation with expired but valid-signature JWT succeeds
1ms 11

Given the ID Gateway is running < 1ms

When I initiate authorization with email "expired-revoke@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response < 1ms

When I wait for the access token to expire < 1ms

And I revoke the expired access token < 1ms

Then the response status should be 200 < 1ms

And the response field "revoked" should equal "true" < 1ms

@security @device-binding
Scenario:
Device ID is assigned during authorization
< 1ms 5

Given the ID Gateway is running < 1ms

When I initiate authorization with email "device-test@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And the response should contain "device_id" < 1ms

And the response field "device_id" should not be empty < 1ms

@security @device-binding
Scenario:
Device ID persists across token refresh
2ms 14

Given the ID Gateway is running < 1ms

When I initiate authorization with email "device-persist@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And the response should contain "device_id" < 1ms

And I save the device id from the response < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response < 1ms

When I refresh tokens with the saved refresh token < 1ms

Then the response status should be 200 < 1ms

When I list sessions with the saved access token < 1ms

Then the response status should be 200 < 1ms

And the session should have the same device id < 1ms

Feature:Registry Integration - Citizen and Sanctions Lookup 143ms 18 2

As an authenticated user with proper consent
I want to lookup citizen records and check sanctions status
So that identity verification and AML/CTF compliance can be performed

@registry @citizen @cache
Scenario:
Repeated citizen lookups use cache
13ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "CACHED123456" 11ms

Then the response status should be 200 < 1ms

And I note the "checked_at" timestamp < 1ms

When I lookup citizen record for national_id "CACHED123456" again within 1 second < 1ms

Then the response status should be 200 < 1ms

And the "checked_at" timestamp should be unchanged < 1ms

@registry @sanctions @normal
Scenario:
Successful sanctions check - not listed
1ms 12

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I check sanctions for national_id "CLEAN123456" < 1ms

Then the response status should be 200 < 1ms

And the response should contain "national_id" < 1ms

And the response should contain "listed" < 1ms

And the response should contain "source" < 1ms

And the response should contain "checked_at" < 1ms

And the response field "national_id" should equal "CLEAN123456" < 1ms

And the response field "listed" should equal false < 1ms

And the response field "source" should not be empty < 1ms

@registry @sanctions @normal
Scenario:
Sanctions check - user is listed
12ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I check sanctions for national_id "SANCTIONED99" 11ms

Then the response status should be 200 < 1ms

And the response field "listed" should equal true < 1ms

And the response field "source" should not be empty < 1ms

@registry @combined @normal
Scenario:
Perform both citizen and sanctions lookups for same ID
23ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "COMBINED123" 10ms

Then the response status should be 200 < 1ms

And the response field "valid" should equal true < 1ms

When I check sanctions for national_id "COMBINED123" 10ms

Then the response status should be 200 < 1ms

And the response field "listed" should equal false < 1ms

@registry @citizen @validation
Scenario:
Citizen lookup without authentication
1ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "TEST123456" without authentication < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@registry @citizen @validation
Scenario:
Citizen lookup without consent
2ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

Given I revoke consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "TEST123456" < 1ms

Then the response status should be 403 < 1ms

And the response field "error" should equal "invalid_consent" < 1ms

@registry @citizen @validation
Scenario:
Citizen lookup with empty national_id
1ms 3 1 2

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I POST to "/registry/citizen" with empty national_id 0s 

Then(/^I POST to "([^"]*)" with empty national_id$/, function(arg1, callback) {
  // Write code here that turns the phrase above into concrete actions
  callback(null, 'pending');
});

Then the response status should be 400 0s

And the response field "error" should equal "bad_request" 0s

@registry @citizen @validation
Scenario:
Citizen lookup with invalid national_id format
1ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "invalid!" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

And the response field "error_description" should contain "invalid format" < 1ms

@registry @citizen @validation
Scenario:
Citizen lookup with national_id too short
1ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "ABC" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

@registry @citizen @validation
Scenario:
Citizen lookup with national_id too long
1ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

@registry @sanctions @validation
Scenario:
Sanctions check without authentication
1ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I check sanctions for national_id "TEST123456" without authentication < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@registry @sanctions @validation
Scenario:
Sanctions check without consent
2ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

Given I revoke consent for purposes "registry_check" < 1ms

When I check sanctions for national_id "TEST123456" < 1ms

Then the response status should be 403 < 1ms

And the response field "error" should equal "invalid_consent" < 1ms

@registry @sanctions @validation
Scenario:
Sanctions check with empty national_id
1ms 3 1 2

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I POST to "/registry/sanctions" with empty national_id 0s 

Then(/^I POST to "([^"]*)" with empty national_id$/, function(arg1, callback) {
  // Write code here that turns the phrase above into concrete actions
  callback(null, 'pending');
});

Then the response status should be 400 0s

And the response field "error" should equal "bad_request" 0s

@registry @sanctions @validation
Scenario:
Sanctions check with invalid national_id format
1ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I check sanctions for national_id "invalid@#$" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

@registry @citizen @not-found
Scenario:
Citizen lookup for non-existent record returns 404
13ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "NOTFOUND999" 10ms

Then the response status should be 404 < 1ms

And the response field "error" should equal "not_found" < 1ms

And the response field "error_description" should contain "not found" < 1ms

@registry @citizen @invalid-record
Scenario:
Citizen lookup returns valid false for inactive record
12ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "INVALID99999" 10ms

Then the response status should be 200 < 1ms

And the response field "valid" should equal false < 1ms

And the response should contain "checked_at" < 1ms

@registry @regulated
Scenario:
Citizen lookup in regulated mode returns minimized data
12ms 12

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

Given the system is running in regulated mode < 1ms

When I lookup citizen record for national_id "REGULATED123" 10ms

Then the response status should be 200 < 1ms

And the response should not contain "national_id" < 1ms

And the response should contain "valid" < 1ms

And the response should contain "checked_at" < 1ms

And the response should not contain "full_name" < 1ms

And the response should not contain "date_of_birth" < 1ms

And the response should not contain "address" < 1ms

@registry @performance
Scenario:
Cache hit has low latency
12ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

Given I lookup citizen record for national_id "PERF123456" 10ms

When I lookup citizen record for national_id "PERF123456" and measure latency < 1ms

Then the response status should be 200 < 1ms

And the response time should be less than 50 milliseconds < 1ms

@registry @idempotency
Scenario:
Multiple identical citizen lookups are idempotent
12ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I lookup citizen record for national_id "IDEM123456" 10ms

Then the response status should be 200 < 1ms

And I save the full response as "first_lookup" < 1ms

When I lookup citizen record for national_id "IDEM123456" < 1ms

Then the response status should be 200 < 1ms

And the response data should match "first_lookup" < 1ms

@registry @idempotency
Scenario:
Multiple identical sanctions checks are idempotent
12ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "registry-test@example.com" < 1ms

And I have granted consent for purposes "registry_check" < 1ms

When I check sanctions for national_id "IDEMSANC123" 10ms

Then the response status should be 200 < 1ms

And I save the full response as "first_check" < 1ms

When I check sanctions for national_id "IDEMSANC123" < 1ms

Then the response status should be 200 < 1ms

And the response data should match "first_check" < 1ms

Feature:Tenant & Client Management Admin API 1s 602ms 43

As a platform administrator
I want to manage tenants and clients via admin API
So that OAuth applications can be onboarded and configured

@admin @tenant @crud
Scenario:
Create tenant successfully
< 1ms 5

Given the ID Gateway is running < 1ms

When I create a tenant with name "Test Tenant E2E" < 1ms

Then the response status should be 201 < 1ms

And the response should contain "tenant_id" < 1ms

And I save the tenant ID from the response < 1ms

@admin @tenant @crud
Scenario:
Create tenant with duplicate name fails
< 1ms 7

Given the ID Gateway is running < 1ms

When I create a tenant with exact name "Duplicate Tenant Test" < 1ms

Then the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a tenant with exact name "Duplicate Tenant Test" < 1ms

Then the response status should be 409 < 1ms

And the response field "error" should equal "conflict" < 1ms

@admin @tenant @crud
Scenario:
Get tenant details
< 1ms 7

Given the ID Gateway is running < 1ms

When I create a tenant with name "Get Tenant Test" < 1ms

Then the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I get the tenant details < 1ms

Then the response status should be 200 < 1ms

And the response field "name" should contain "Get Tenant Test" < 1ms

@admin @tenant @validation
Scenario:
Create tenant with empty name fails
< 1ms 4

Given the ID Gateway is running < 1ms

When I create a tenant with name "" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@admin @tenant @security
Scenario:
Create tenant without admin token fails
< 1ms 4

Given the ID Gateway is running < 1ms

When I create a tenant with name "Unauthorized Tenant" and token "" < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @client @crud
Scenario:
Create client under tenant
67ms 9

Given the ID Gateway is running < 1ms

When I create a tenant with name "Client Test Tenant" < 1ms

Then the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a client "Test App" under the tenant 67ms

Then the response status should be 201 < 1ms

And the response should contain "client_id" < 1ms

And the response should contain "client_secret" < 1ms

And I save the client ID from the response < 1ms

@admin @client @crud
Scenario:
Get client details
69ms 11

Given the ID Gateway is running < 1ms

When I create a tenant with name "Get Client Tenant" 1ms

Then the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a client "Get Client App" under the tenant 67ms

Then the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I get the client details < 1ms

Then the response status should be 200 < 1ms

And the response field "name" should equal "Get Client App" < 1ms

And the response should not contain "client_secret" < 1ms

@admin @client @crud
Scenario:
Update client
68ms 10

Given the ID Gateway is running < 1ms

When I create a tenant with name "Update Client Tenant" < 1ms

Then the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a client "Original Name" under the tenant 67ms

Then the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I update the client name to "Updated Name" < 1ms

Then the response status should be 200 < 1ms

And the response field "name" should equal "Updated Name" < 1ms

@admin @client @security
Scenario:
Client secret rotation
135ms 12

Given the ID Gateway is running < 1ms

When I create a tenant with name "Secret Rotation Tenant" < 1ms

Then the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a client "Rotation App" under the tenant 67ms

Then the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

And I save the client secret from the response < 1ms

When I rotate the client secret 67ms

Then the response status should be 200 < 1ms

And the response should contain "client_secret" < 1ms

And the new secret should be different from the saved secret < 1ms

@admin @client @validation
Scenario:
Create client with invalid tenant fails
< 1ms 4

Given the ID Gateway is running < 1ms

When I create a client "Orphan App" under tenant "00000000-0000-0000-0000-000000000000" < 1ms

Then the response status should be 404 < 1ms

And the response field "error" should equal "not_found" < 1ms

@admin @client @security
Scenario:
Create client without admin token fails
1ms 7

Given the ID Gateway is running < 1ms

When I create a tenant with name "Unauthorized Client Tenant" < 1ms

Then the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a client "Unauthorized App" under the tenant without admin token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @tenant @lifecycle
Scenario:
Deactivate tenant blocks OAuth flows
68ms 13

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Lifecycle Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Test App" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

And I save the OAuth client_id from the response < 1ms

When I deactivate the tenant < 1ms

Then the response status should be 200 < 1ms

When I initiate authorization with the client < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "invalid_client" < 1ms

@admin @tenant @lifecycle
Scenario:
Deactivate already-inactive tenant returns conflict
1ms 9

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Already Inactive" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I deactivate the tenant < 1ms

Then the response status should be 200 < 1ms

When I deactivate the tenant < 1ms

Then the response status should be 409 < 1ms

And the response field "error" should equal "conflict" < 1ms

@admin @tenant @lifecycle
Scenario:
Reactivate tenant restores OAuth flows
69ms 14

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Reactivate Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Restore App" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

And I save the OAuth client_id from the response < 1ms

And I deactivate the tenant < 1ms

And the response status should be 200 < 1ms

When I reactivate the tenant < 1ms

Then the response status should be 200 < 1ms

When I initiate authorization with the client < 1ms

Then the response status should be 200 < 1ms

@admin @tenant @lifecycle
Scenario:
Reactivate already-active tenant returns conflict
< 1ms 7

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Already Active" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I reactivate the tenant < 1ms

Then the response status should be 409 < 1ms

And the response field "error" should equal "conflict" < 1ms

@admin @client @lifecycle
Scenario:
Deactivate client blocks OAuth flows
70ms 13

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Client Lifecycle" 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Deactivate Me" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

And I save the OAuth client_id from the response < 1ms

When I deactivate the client < 1ms

Then the response status should be 200 < 1ms

When I initiate authorization with the client < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "invalid_client" < 1ms

@admin @client @lifecycle
Scenario:
Deactivate already-inactive client returns conflict
68ms 12

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Client Already Inactive" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Already Inactive Client" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I deactivate the client < 1ms

Then the response status should be 200 < 1ms

When I deactivate the client < 1ms

Then the response status should be 409 < 1ms

And the response field "error" should equal "conflict" < 1ms

@admin @client @lifecycle
Scenario:
Reactivate client restores OAuth flows
69ms 14

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Restore Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Restore Me" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

And I save the OAuth client_id from the response < 1ms

And I deactivate the client < 1ms

And the response status should be 200 < 1ms

When I reactivate the client < 1ms

Then the response status should be 200 < 1ms

When I initiate authorization with the client < 1ms

Then the response status should be 200 < 1ms

@admin @client @lifecycle
Scenario:
Reactivate already-active client returns conflict
68ms 10

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Client Already Active" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Already Active Client" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I reactivate the client < 1ms

Then the response status should be 409 < 1ms

And the response field "error" should equal "conflict" < 1ms

@admin @tenant @lifecycle @security
Scenario:
Deactivate tenant without admin token fails
1ms 7

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Auth Test Tenant" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I deactivate the tenant without admin token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @client @lifecycle @security
Scenario:
Deactivate client without admin token fails
68ms 10

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Client Auth Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Auth Test Client" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I deactivate the client without admin token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @tenant @lifecycle
Scenario:
Deactivate non-existent tenant returns not found
< 1ms 4

Given the ID Gateway is running < 1ms

When I deactivate tenant with id "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" < 1ms

Then the response status should be 404 < 1ms

And the response field "error" should equal "not_found" < 1ms

@admin @client @lifecycle
Scenario:
Deactivate non-existent client returns not found
< 1ms 4

Given the ID Gateway is running < 1ms

When I deactivate client with id "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" < 1ms

Then the response status should be 404 < 1ms

And the response field "error" should equal "not_found" < 1ms

@admin @client @validation @security
Scenario:
Public client cannot use client_credentials grant
1ms 7

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Public Client Grant Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a public client "Public SPA" with client_credentials grant under the tenant < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@admin @client @validation @security
Scenario:
Redirect URI rejects localhost subdomain bypass
1ms 7

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Localhost Bypass Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a client with redirect URI "http://localhost.attacker.com/callback" under the tenant < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@admin @tenant @validation
Scenario:
Tenant name uniqueness is case-insensitive
1ms 7

Given the ID Gateway is running < 1ms

When I create a tenant with exact name "CaseTest" < 1ms

Then the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a tenant with exact name "casetest" < 1ms

Then the response status should be 409 < 1ms

And the response field "error" should equal "conflict" < 1ms

@admin @client @security
Scenario:
Rotate secret for public client fails
68ms 10

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Public Client Rotation Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a public client "Public SPA" under the tenant < 1ms

Then the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I rotate the client secret 67ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@admin @client @security
Scenario:
Old secret is invalidated after rotation
136ms 13

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Secret Invalidation Test" 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Rotation Invalidation App" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

And I save the client secret from the response < 1ms

And I save the OAuth client_id from the response < 1ms

When I rotate the client secret 67ms

Then the response status should be 200 < 1ms

When I authenticate with the old client secret < 1ms

Then the authentication should fail < 1ms

@admin @tenant @security
Scenario:
Reactivate tenant without admin token fails
1ms 9

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Reactivate Auth Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I deactivate the tenant < 1ms

And the response status should be 200 < 1ms

When I reactivate the tenant without admin token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @client @security
Scenario:
Reactivate client without admin token fails
69ms 12

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Client Reactivate Auth Test" 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Auth Test Client" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

And I deactivate the client < 1ms

And the response status should be 200 < 1ms

When I reactivate the client without admin token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @tenant @security
Scenario:
Get tenant without admin token fails
1ms 7

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Get Tenant Auth Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I get the tenant details without admin token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @client @security
Scenario:
Get client without admin token fails
70ms 10

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Get Client Auth Test" 2ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Get Auth Test Client" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I get the client details without admin token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @client @security
Scenario:
Update client without admin token fails
68ms 10

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Update Client Auth Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Update Auth Test Client" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I update the client name to "New Name" without admin token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @client @security
Scenario:
Rotate secret without admin token fails
68ms 10

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Rotate Secret Auth Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Rotate Auth Test Client" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I rotate the client secret without admin token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@admin @client @validation
Scenario:
Update client with invalid redirect URI fails
68ms 10

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Update URI Validation Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "URI Update Test App" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I update the client with redirect URI "http://example.com/callback" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@admin @client @validation
Scenario:
Update public client to use client_credentials fails
1ms 10

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Public Grant Update Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a public client "Public Grant Test" under the tenant < 1ms

Then the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I update the client with client_credentials grant < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@admin @client @validation
Scenario:
Update client with empty name fails
68ms 10

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Empty Name Update Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Empty Name Test App" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

When I update the client name to "" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@admin @client @lifecycle
Scenario:
Reactivating tenant does not auto-reactivate deactivated clients
70ms 17

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Cascade Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I create a client "Cascade App" under the tenant 67ms

And the response status should be 201 < 1ms

And I save the client ID from the response < 1ms

And I save the OAuth client_id from the response < 1ms

And I deactivate the client < 1ms

And the response status should be 200 < 1ms

And I deactivate the tenant < 1ms

And the response status should be 200 < 1ms

When I reactivate the tenant < 1ms

Then the response status should be 200 < 1ms

When I initiate authorization with the client < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "invalid_client" < 1ms

@admin @client @lifecycle
Scenario:
Create client under inactive tenant fails
1ms 9

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Inactive Tenant Client Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

And I deactivate the tenant < 1ms

And the response status should be 200 < 1ms

When I create a client "Orphan Client" under the tenant < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@admin @tenant @validation
Scenario:
Tenant name at max length succeeds
< 1ms 4

Given the ID Gateway is running < 1ms

When I create a tenant with name of exactly 128 characters < 1ms

Then the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

@admin @tenant @validation
Scenario:
Tenant name exceeds max length fails
< 1ms 4

Given the ID Gateway is running < 1ms

When I create a tenant with name of exactly 129 characters < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

@admin @client @validation
Scenario:
Client name at max length succeeds
67ms 6

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Client Name Length Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a client with name of exactly 128 characters under the tenant 67ms

Then the response status should be 201 < 1ms

@admin @client @validation
Scenario:
Client name exceeds max length fails
1ms 7

Given the ID Gateway is running < 1ms

Given I create a tenant with name "Client Name Overflow Test" < 1ms

And the response status should be 201 < 1ms

And I save the tenant ID from the response < 1ms

When I create a client with name of exactly 129 characters under the tenant < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

Feature:Token lifecycle and session management 23ms 8

As a user
I want secure token refresh and revocation
So that sessions can be rotated and revoked securely

@token @refresh
Scenario:
Refresh token rotation rejects reuse (RFC 6749 §5.2)
2ms 15

Given the ID Gateway is running < 1ms

When I initiate authorization with email "rotate@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And the response should contain "refresh_token" < 1ms

And I save the tokens from the response < 1ms

When I refresh tokens with the saved refresh token < 1ms

Then the response status should be 200 < 1ms

And the response should contain "refresh_token" < 1ms

And the new refresh token should differ from the previous one < 1ms

When I attempt to refresh with the previous refresh token < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "invalid_grant" < 1ms

@token @revocation
Scenario:
Refresh token revocation blocks future refresh (RFC 6749 §5.2)
2ms 13

Given the ID Gateway is running < 1ms

When I initiate authorization with email "revoke-refresh@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response < 1ms

When I revoke the saved refresh token < 1ms

Then the response status should be 200 < 1ms

And the response field "revoked" should equal "true" < 1ms

When I refresh tokens with the saved refresh token < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "invalid_grant" < 1ms

@token @revocation
Scenario:
Access token revocation invalidates the session
2ms 12

Given the ID Gateway is running < 1ms

When I initiate authorization with email "revoke-access@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response < 1ms

When I revoke the saved access token < 1ms

Then the response status should be 200 < 1ms

When I attempt to get user info with the saved access token < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@token @sessions
Scenario:
Revoke a specific session from another active session
3ms 23

Given the ID Gateway is running < 1ms

When I initiate authorization with email "session-mgmt@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response as "primary" < 1ms

When I initiate authorization with email "session-mgmt@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response as "secondary" < 1ms

When I list sessions with access token "secondary" < 1ms

Then the response status should be 200 < 1ms

And the response should list at least 2 sessions < 1ms

And I save the current session id as "secondary" < 1ms

When I revoke session "secondary" using access token "primary" < 1ms

Then the response status should be 200 < 1ms

And the response field "revoked" should equal "true" < 1ms

When I request user info with access token "secondary" < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@token @refresh @concurrency @security
Scenario:
Concurrent refresh token requests (one wins, one fails)
2ms 11

Given the ID Gateway is running < 1ms

When I initiate authorization with email "concurrent@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response < 1ms

When I submit two concurrent refresh requests with the same refresh token < 1ms

Then exactly one request should succeed with status 200 < 1ms

And exactly one request should fail with status 400 < 1ms

And the failed response field "error" should equal "invalid_grant" < 1ms

@token @sessions @revocation
Scenario:
Revoked session cannot refresh tokens
2ms 16

Given the ID Gateway is running < 1ms

When I initiate authorization with email "revoke-session@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response < 1ms

When I list sessions with the saved access token < 1ms

Then the response status should be 200 < 1ms

And I save the current session id < 1ms

When I revoke the current session < 1ms

Then the response status should be 200 < 1ms

And the response field "revoked" should equal "true" < 1ms

When I refresh tokens with the saved refresh token < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "invalid_grant" < 1ms

@token @sessions @logout-all
Scenario:
User can revoke all sessions except current (PRD-016 FR-6)
6ms 31

Given the ID Gateway is running < 1ms

When I initiate authorization with email "logout-all@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response as "session1" < 1ms

When I initiate authorization with email "logout-all@example.com" and scopes "openid" 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response as "session2" < 1ms

When I initiate authorization with email "logout-all@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response as "session3" < 1ms

When I list sessions with access token "session3" < 1ms

Then the response status should be 200 < 1ms

And the response should list at least 3 sessions < 1ms

When I call logout-all with access token "session3" and except_current "true" < 1ms

Then the response status should be 200 < 1ms

And the response field "revoked_count" should equal 2 < 1ms

When I request user info with access token "session3" < 1ms

Then the response status should be 200 < 1ms

When I request user info with access token "session1" < 1ms

Then the response status should be 401 < 1ms

When I request user info with access token "session2" < 1ms

Then the response status should be 401 < 1ms

@token @sessions @logout-all
Scenario:
User can revoke all sessions including current (PRD-016 FR-6)
1ms 12

Given the ID Gateway is running < 1ms

When I initiate authorization with email "logout-all-inclusive@example.com" and scopes "openid" < 1ms

Then the response status should be 200 < 1ms

And I save the authorization code < 1ms

When I exchange the authorization code for tokens < 1ms

Then the response status should be 200 < 1ms

And I save the tokens from the response < 1ms

When I call logout-all with the saved access token and except_current "false" < 1ms

Then the response status should be 200 < 1ms

And the response field "revoked_count" should be at least 1 < 1ms

When I attempt to get user info with the saved access token < 1ms

Then the response status should be 401 < 1ms

Feature:Verifiable Credential Issuance 124ms 13 2

As an authenticated user with valid identity
I want to receive age verification credentials
So that I can prove my age to third parties

@vc @normal
Scenario:
Issue AgeOver18 credential for eligible user
12ms 12

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given the citizen registry contains a record for "ADULT123456" with birth date "1990-01-01" < 1ms

When I request an AgeOver18 credential with national_id "ADULT123456" 10ms

Then the response status should be 200 < 1ms

And the response should contain "credential_id" < 1ms

And the response field "type" should equal "AgeOver18" < 1ms

And the response field "issuer" should equal "credo" < 1ms

And the response should contain "issued_at" < 1ms

And the response should contain "claims" < 1ms

And the credential claims should contain "is_over_18" equal to true < 1ms

@vc @normal
Scenario:
Issued credential has valid ID format
12ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given the citizen registry contains a record for "FMTCHECK123" with birth date "1985-06-15" < 1ms

When I request an AgeOver18 credential with national_id "FMTCHECK123" 10ms

Then the response status should be 200 < 1ms

And the response field "credential_id" should start with "vc_" < 1ms

@vc @age
Scenario:
Reject issuance for underage user (17 years old)
12ms 8

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given the citizen registry contains a record for "MINOR17" with birth date making them 17 years old < 1ms

When I request an AgeOver18 credential with national_id "MINOR17" 10ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

And the response field "error_description" should contain "age requirement" < 1ms

@vc @age
Scenario:
Issue credential for user who turned 18 today
12ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given the citizen registry contains a record for "JUSTTURNED18" with birth date making them exactly 18 years old < 1ms

When I request an AgeOver18 credential with national_id "JUSTTURNED18" 10ms

Then the response status should be 200 < 1ms

And the credential claims should contain "is_over_18" equal to true < 1ms

@vc @consent
Scenario:
Reject issuance without consent
2ms 8

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given I am authenticated as "vc-no-consent@example.com" < 1ms

And I have NOT granted consent for purposes "vc_issuance" < 1ms

When I request an AgeOver18 credential with national_id "NOCONSENT123" < 1ms

Then the response status should be 403 < 1ms

And the response field "error" should equal "missing_consent" < 1ms

@vc @consent
Scenario:
Reject issuance after consent revoked
3ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given I am authenticated as "vc-revoked@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

And I revoke consent for purposes "vc_issuance" < 1ms

When I request an AgeOver18 credential with national_id "REVOKED123" < 1ms

Then the response status should be 403 < 1ms

And the response field "error" should equal "invalid_consent" < 1ms

@vc @registry
Scenario:
Reject issuance for unknown citizen
12ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given the citizen registry has no record for national_id "UNKNOWN999" < 1ms

When I request an AgeOver18 credential with national_id "UNKNOWN999" 10ms

Then the response status should be 404 < 1ms

And the response field "error" should equal "not_found" < 1ms

@vc @registry
Scenario:
Reject issuance for invalid citizen record
12ms 8

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given the citizen registry contains an invalid record for "INVALID12345" < 1ms

When I request an AgeOver18 credential with national_id "INVALID12345" 10ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "bad_request" < 1ms

And the response field "error_description" should contain "invalid citizen" < 1ms

@vc @validation
Scenario:
Reject issuance without authentication
1ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

When I request an AgeOver18 credential with national_id "TEST123456" without authentication < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms

@vc @validation
Scenario:
Reject issuance with missing national_id
1ms 3 1 3

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

When I POST to "/vc/issue" with empty national_id 0s 

Then(/^I POST to "([^"]*)" with empty national_id$/, function(arg1, callback) {
  // Write code here that turns the phrase above into concrete actions
  callback(null, 'pending');
});

Then the response status should be 400 0s

And the response field "error" should equal "validation_error" 0s

And the response field "error_description" should contain "national_id is required" 0s

@vc @validation
Scenario:
Reject issuance with missing type
1ms 3 1 3

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

When I POST to "/vc/issue" with missing type 0s 

Then(/^I POST to "([^"]*)" with missing type$/, function(arg1, callback) {
  // Write code here that turns the phrase above into concrete actions
  callback(null, 'pending');
});

Then the response status should be 400 0s

And the response field "error" should equal "validation_error" 0s

And the response field "error_description" should contain "type is required" 0s

@vc @validation
Scenario:
Reject issuance with invalid credential type
2ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

When I request a credential with invalid type "InvalidType" and national_id "TEST123456" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

And the response field "error_description" should contain "type" < 1ms

@vc @validation
Scenario:
Reject issuance with invalid national_id format
1ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

When I request an AgeOver18 credential with national_id "bad!" < 1ms

Then the response status should be 400 < 1ms

And the response field "error" should equal "validation_error" < 1ms

And the response field "error_description" should contain "national_id" < 1ms

@vc @regulated
Scenario:
Regulated mode strips PII from credentials
12ms 9

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given the system is running in regulated mode < 1ms

And the citizen registry contains a record for "REGULATED123" with birth date "1980-03-15" < 1ms

When I request an AgeOver18 credential with national_id "REGULATED123" 10ms

Then the response status should be 200 < 1ms

And the credential claims should contain "is_over_18" equal to true < 1ms

And the credential claims should NOT contain "verified_via" < 1ms

@vc @idempotency
Scenario:
Multiple issuance requests create separate credentials
23ms 10

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-test@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given the citizen registry contains a record for "MULTI123456" with birth date "1992-04-10" < 1ms

When I request an AgeOver18 credential with national_id "MULTI123456" 10ms

Then the response status should be 200 < 1ms

And I save the response field "credential_id" as "first_credential" < 1ms

When I request an AgeOver18 credential with national_id "MULTI123456" 10ms

Then the response status should be 200 < 1ms

And the response field "credential_id" should not equal saved "first_credential" < 1ms

Feature:Verifiable Credential Verification 17ms 3 1

As an authenticated user
I want to verify issued credentials
So that I can reuse proof without re-checking registry data

@vc @verify
Scenario:
Verify an issued AgeOver18 credential
13ms 13

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-verify@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

Given the citizen registry contains a record for "VERIFY123456" with birth date "1990-01-01" < 1ms

When I request an AgeOver18 credential with national_id "VERIFY123456" 10ms

Then the response status should be 200 < 1ms

And I save the response field "credential_id" as "issued_credential" < 1ms

When I verify the saved credential_id "issued_credential" < 1ms

Then the response status should be 200 < 1ms

And the response field "valid" should equal "true" < 1ms

And the response should contain "credential_id" < 1ms

And the response should contain "claims" < 1ms

And the credential claims should contain "is_over_18" equal to true < 1ms

@vc @verify
Scenario:
Reject verification for unknown credential
1ms 7

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-verify@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

When I verify a credential with id "vc_00000000-0000-0000-0000-000000000000" < 1ms

Then the response status should be 404 < 1ms

And the response field "valid" should equal "false" < 1ms

And the response field "reason" should equal "credential_not_found" < 1ms

@vc @verify @validation
Scenario:
Reject verification with missing credential_id
1ms 3 1 3

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-verify@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

When I POST to "/vc/verify" with empty credential_id 0s 

Then(/^I POST to "([^"]*)" with empty credential_id$/, function(arg1, callback) {
  // Write code here that turns the phrase above into concrete actions
  callback(null, 'pending');
});

Then the response status should be 400 0s

And the response field "error" should equal "validation_error" 0s

And the response field "error_description" should contain "credential_id is required" 0s

@vc @verify @validation
Scenario:
Reject verification without authentication
1ms 6

Given the ID Gateway is running < 1ms

And I am authenticated as "vc-verify@example.com" < 1ms

And I grant consent for purposes "vc_issuance,registry_check" < 1ms

When I verify a credential with id "vc_00000000-0000-0000-0000-000000000000" without authentication < 1ms

Then the response status should be 401 < 1ms

And the response field "error" should equal "unauthorized" < 1ms