coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
36a3d3c898acebbe1c141c8dae678b541b5e75df
flex-auth/workplans/FLEX-WP-0004-delegated-pdp-and-directory-adapters.md

129 lines
3.1 KiB
Markdown
Raw Blame History

---
id: FLEX-WP-0004
type: workplan
title: "Delegated PDP and Directory Adapters"
domain: netkingdom
status: todo
owner: flex-auth
topic_slug: flex-auth
planning_priority: P2
planning_order: 40
depends_on_workplans:
- FLEX-WP-0002
related_workplans:
- FLEX-WP-0003
created: "2026-05-04"
updated: "2026-05-04"
state_hub_workstream_id: "99a82976-d376-42b0-89cc-c44e01c0bec6"
---
# FLEX-WP-0004: Delegated PDP and Directory Adapters
## Purpose
Let flex-auth coordinate established authorization and directory systems while
remaining the stable control plane for protected systems.
The standalone core must work first. This workplan adds delegated backends and
provider examples after flex-auth's own request, decision, registry, and audit
vocabulary are stable.
## P4.1 - Evaluate Topaz as MVP delegated backend
```task
id: FLEX-WP-0004-T001
status: todo
priority: high
state_hub_task_id: "9046418c-2b78-42c6-8bfa-76d6ed0050dd"
```
Evaluate Topaz because it combines a local directory, relation modeling, and
OPA/Rego policy evaluation.
Output: spike notes, mapping examples, pros/cons, and recommendation.
## P4.2 - Add relationship PDP adapter boundary
```task
id: FLEX-WP-0004-T002
status: todo
priority: high
state_hub_task_id: "b77a0b70-b492-46ba-badf-8c2eebe006aa"
```
Define and implement adapter contracts for OpenFGA and SpiceDB-style checks:
- tuple/resource mapping
- inherited access
- batch/list operations
- consistency metadata
- error and stale-data diagnostics
## P4.3 - Add rule PDP adapter boundary
```task
id: FLEX-WP-0004-T003
status: todo
priority: high
state_hub_task_id: "4e4e5e45-c05a-4a31-8126-f0c7676b1e6c"
```
Define and implement adapter contracts for OPA/Rego and Cedar-style policies:
- principal/action/resource/context mapping
- policy package versioning
- test fixtures
- obligations and diagnostics
## P4.4 - Add Keycloak Authorization Services adapter path
```task
id: FLEX-WP-0004-T004
status: todo
priority: medium
state_hub_task_id: "8d3bbc28-985b-4dd7-9fb8-f9a858eb5a6b"
```
Document and spike Keycloak Authorization Services integration for
Keycloak-centric deployments without making Keycloak the only resource-policy
source of truth.
## P4.5 - Add Entra/Graph and SCIM group resolver adapters
```task
id: FLEX-WP-0004-T005
status: todo
priority: medium
state_hub_task_id: "4fc3fb91-8763-453e-8e54-36178cb11efd"
```
Implement directory group resolver patterns for:
- Microsoft Graph group overage
- SCIM provisioning
- LDAP/AD
- Keycloak admin API
Each resolver must expose freshness, source, and overage metadata.
## P4.6 - Add delegated-mode operations docs
```task
id: FLEX-WP-0004-T006
status: todo
priority: medium
state_hub_task_id: "491260f9-b4d7-46fe-8220-d358597db33a"
```
Document deployment, failure modes, caching, fail-closed/fail-open policy,
consistency, and audit behavior for delegated backends.
## Exit Criteria
- flex-auth can delegate decisions to at least one external PDP in a controlled
adapter shape.
- Directory group freshness and overage are explicit.
- Backend changes do not alter the protected-system-facing flex-auth API.
- Topaz/OpenFGA/OPA/Cedar/Keycloak/Entra tradeoffs are documented with
practical guidance.
Reference in New Issue View Git Blame Copy Permalink