coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
flex-auth/examples/claims/emergency.yaml
tegwick aa8e3a4e34
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
Align IAM Profile consumption with v0.2
2026-05-22 14:35:30 +02:00

45 lines
1.1 KiB
YAML
Raw Permalink Blame History

# Claim envelope for an emergency (break-glass) human principal. Short
# expiry, emergency role, requires MFA per the profile, and triggers
# durable audit recording on every flex-auth decision that involves it.
#
# Reference: NetKingdom IAM Profile v0.2 "Emergency And Break-Glass
# Access". flex-auth maps the emergency role plus break_glass assurance to
# a `record_emergency` obligation on every decision.
iss: https://sso.netkingdom.example/realms/netkingdom
sub: f1c4f64e-2c0c-4cda-8c9f-9f3f8f3a2b0e
aud:
- flex-auth
exp: 1767226200 # iat + 10 minutes; emergency tokens are short-lived
iat: 1767225600
auth_time: 1767225595
tenant: tenant:platform
principal_type: human
azp: ops-console
preferred_username: ada
email: ada@netkingdom.example
scope: openid profile hub:admin
roles:
- emergency
- admin
groups:
- /platform/stewards
amr:
- pwd
- otp
- hwk
acr: "3"
assurance:
level: break_glass
methods:
- pwd
- otp
- hwk
mfa: true
source: keycloak
at: 1767225595
emergency:
incident_id: INC-2026-0042
authorized_by: "team:platform-stewards"
reason: "credential rotation playbook step 4"
Reference in New Issue View Git Blame Copy Permalink