coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
flex-auth/examples/claims/README.md
tegwick aa8e3a4e34
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
Align IAM Profile consumption with v0.2
2026-05-22 14:35:30 +02:00

1.5 KiB
Raw Permalink Blame History

examples/claims/

Contract fixtures for the NetKingdom IAM Profile v0.2 claim shapes flex-auth must accept. Each file is the raw verified claim map as flex-auth receives it from the upstream identity layer (key-cape or Keycloak); flex-auth's normalization produces the same EnterpriseIdentity-shaped envelope for all of them.

See docs/iam-profile-consumption.md for the full consumption surface.

Fixture Provider Demonstrates
key-cape-lightweight.yaml key-cape lightweight mode Profile-conformant minimum: single audience, top-level roles array, explicit tenant/principal/assurance.
keycloak-heavy.yaml Keycloak production Full variation set: canonical roles, provider-native role sources, scope as space-separated string, MFA assurance, multiple audiences.
service-account.yaml Either provider Service account; principal_type: service, service + operator roles, no preferred_username, narrow scope.
emergency.yaml Either provider Break-glass human identity; emergency role, assurance.level: break_glass, short expiry, audit-trail metadata in an emergency claim.
keycloak-group-overage.yaml Entra/Keycloak Group-claim overage signal (hasgroups: true); flex-auth's directory resolver fetches the full set.

These fixtures are loaded by the standalone evaluator's contract tests (FLEX-WP-0002 P2.4) and by the Topaz adapter's contract tests (FLEX-WP-0004 T01). Both code paths MUST produce identical normalized envelopes for the same fixture.

Reference in New Issue View Git Blame Copy Permalink