test(oauth-client): add metadata stage integration tests with AC2 coverage
Implement 10+ integration tests covering AC2.1–AC2.9 plus loopback-skip
and discovery-failure-blocks-metadata scenarios. Tests cover:
- AC2.1: confidential web client (happy path)
- AC2.2: public web client (happy path)
- AC2.3: native client (happy path)
- AC2.4: dpop_bound_access_tokens required
- AC2.5: confidential requires jwks/jwks_uri
- AC2.6: public client forbids token_endpoint_auth_method != "none"
- AC2.7: native redirect_uri scheme must match reverse-domain
- AC2.8: scope grammar validation with miette spans
- AC2.9: loopback clients skip all metadata checks
- discovery failure blocks metadata checks
Fixtures include minimal valid metadata documents for confidential/public
web clients and native clients, plus violation cases (missing fields,
invalid values, grammar errors). All snapshots verified and accepted.
Updated discovery test fixture to comply with Phase 4 metadata validation
constraints. All metadata check IDs appear in test snapshots.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>