Align IAM Profile consumption with v0.2

2026-05-22 14:35:30 +02:00
parent 8354485632
commit aa8e3a4e34
7 changed files with 105 additions and 45 deletions
--- a/examples/claims/emergency.yaml
+++ b/examples/claims/emergency.yaml
@@ -2,9 +2,9 @@
 # expiry, emergency role, requires MFA per the profile, and triggers
 # durable audit recording on every flex-auth decision that involves it.
 #
-# Reference: NetKingdom IAM Profile v0.1 §"Human Override and Emergency
-# Access". flex-auth maps this to principal_type=emergency and emits a
-# `record_emergency` obligation on every decision.
+# Reference: NetKingdom IAM Profile v0.2 "Emergency And Break-Glass
+# Access". flex-auth maps the emergency role plus break_glass assurance to
+# a `record_emergency` obligation on every decision.

 iss: https://sso.netkingdom.example/realms/netkingdom
 sub: f1c4f64e-2c0c-4cda-8c9f-9f3f8f3a2b0e
@@ -13,6 +13,8 @@ aud:
 exp: 1767226200    # iat + 10 minutes; emergency tokens are short-lived
 iat: 1767225600
 auth_time: 1767225595
+tenant: tenant:platform
+principal_type: human
 azp: ops-console
 preferred_username: ada
 email: ada@netkingdom.example
@@ -20,11 +22,22 @@ scope: openid profile hub:admin
 roles:
  - emergency
  - admin
+groups:
+  - /platform/stewards
 amr:
  - pwd
  - otp
  - hwk
 acr: "3"
+assurance:
+  level: break_glass
+  methods:
+    - pwd
+    - otp
+    - hwk
+  mfa: true
+  source: keycloak
+  at: 1767225595
 emergency:
  incident_id: INC-2026-0042
  authorized_by: "team:platform-stewards"