AAuth .NET SDK gap analysis, remediation plan, and research#8
Merged
Conversation
Copilot created this pull request from a session on behalf of
dasiths
May 20, 2026 15:13
View session
Copilot
AI
changed the title
docs: AAuth SDK gaps analysis against draft spec
docs: add AAuth .NET SDK gap analysis and remediation plan
May 20, 2026
Copilot
AI
changed the title
docs: add AAuth .NET SDK gap analysis and remediation plan
docs: add gap-remediation plan for AAuth .NET SDK
May 20, 2026
Copilot
AI
changed the title
docs: add gap-remediation plan for AAuth .NET SDK
Add gap-remediation plan alongside SDK gaps analysis
May 20, 2026
Copilot
AI
changed the title
Add gap-remediation plan alongside SDK gaps analysis
AAuth .NET SDK gap analysis, remediation plan, and research
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Comprehensive spec-conformance gap analysis of the .NET AAuth SDK against
draft-hardt-oauth-aauth-protocol,draft-hardt-aauth-bootstrap, anddraft-hardt-aauth-r3, with a sequenced remediation plan and supporting research.Contents
All documents live in
.agent/plans/2026-05-20-aauth-sdk-gap-remediation/:gaps.md— Catalogues every unimplemented spec feature across 14 categories (protocol flows, endpoints, token types, signature-key schemes, crypto algorithms, governance, R3, bootstrap, error handling, verification, discovery, identifiers, conformance tests, misc claims). Includes a priority ranking.implementation-plan.md— 7-phase standalone plan (numbered from 1, references but does not extend the prior2026-05-13plan). Each phase includes proposed fix, alternatives considered with rejection rationale, and downstream implications. Phases ordered by security-first principle: verification hardening → server-side discovery + 4-party → scheme expansion + ECDSA → bootstrap → missions → R3 → 2-party + specialised flows.research.md— Deep-dives into library options, spec-text citations, reference-implementation precedents, and design proposals. Key findings that amended the plan:JsonCanonicalizerNuGet (by RFC 8785 author) exists and is maintained → use it instead of hand-rolling JCSIAAuthKeyinterface recommended over polymorphic struct for algorithm extensibility (Ed25519, ECDSA, future PQC)ECDsafor verification (hardware-accelerated, deterministic-K irrelevant for verifiers)Notable design decisions
AAuthServerId/AAuthAgentIdasreadonly record structwithISpanParsable<T>— validates the spec's strict identifier rules at parse timeSignatureErrorCode,TokenErrorCode,PollingErrorCode) matching the spec's three error surfacesDeferredPollergains spec-mandatedslow_down(+5s) andinvalid_code(abort, no retry) semanticsactchain depth capped at 10 (configurable) to prevent DoS via recursive delegation