coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
af3e8b2af2aaba7328489b156458ceb64ce8522c
flex-auth/examples/claims/README.md
tegwick f930e96568
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
IAM Profile consumption doc + claim fixtures; close FLEX-WP-0005 
Completes FLEX-WP-0005 T05 and closes the Foundations and Topaz
Alignment workstream.

docs/iam-profile-consumption.md captures flex-auth's input surface
against NetKingdom IAM Profile v0.1:
- boundary (flex-auth consumes verified claims; upstream layer
  validates signatures and audiences)
- normalized input envelope (matches Markitect's EnterpriseIdentity)
- required, recommended, and tolerated claim variations
- role-claim location union (top-level / realm_access / resource_access)
- scope encoding (string vs array)
- principal-type detection (human / service / emergency)
- group-overage and freshness expectations
- production vs local-development handling

examples/claims/ ships five contract fixtures:
- key-cape-lightweight.yaml (profile minimum)
- keycloak-heavy.yaml (full variation set + MFA)
- service-account.yaml (svc-* hub-to-hub)
- emergency.yaml (break-glass with incident metadata)
- keycloak-group-overage.yaml (Entra-style hasgroups: true)

All fixtures parse as valid YAML. They become contract tests for the
standalone evaluator (FLEX-WP-0002 P2.4) and the Topaz adapter
(FLEX-WP-0004 T01); both code paths must produce identical normalized
envelopes for the same fixture.

FLEX-WP-0005 workstream marked status=done in this file and completed
in the State Hub. FLEX-WP-0002 is now fully unblocked.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 09:09:36 +02:00

24 lines
1.5 KiB
Markdown
Raw Blame History

# examples/claims/
Contract fixtures for the NetKingdom IAM Profile v0.1 claim shapes
flex-auth must accept. Each file is the *raw verified claim map* as
flex-auth receives it from the upstream identity layer (key-cape or
Keycloak); flex-auth's normalization produces the same
`EnterpriseIdentity`-shaped envelope for all of them.
See `docs/iam-profile-consumption.md` for the full consumption
surface.
| Fixture | Provider | Demonstrates |
| --- | --- | --- |
| `key-cape-lightweight.yaml` | key-cape lightweight mode | Profile-conformant minimum: single audience, top-level `roles` array, single-factor `amr=pwd`. |
| `keycloak-heavy.yaml` | Keycloak production | Full variation set: `realm_access.roles` + `resource_access.<client>.roles`, scope as space-separated string, MFA via `amr=otp`, multiple audiences. |
| `service-account.yaml` | Either provider | Hub-to-hub service account; `service` + `operator` roles, no `preferred_username`, narrow scope. |
| `emergency.yaml` | Either provider | Break-glass human identity; `emergency` role, short expiry, hardware MFA, audit-trail metadata in an `emergency` claim. |
| `keycloak-group-overage.yaml` | Entra/Keycloak | Group-claim overage signal (`hasgroups: true`); flex-auth's directory resolver fetches the full set. |
These fixtures are loaded by the standalone evaluator's contract tests
(`FLEX-WP-0002 P2.4`) and by the Topaz adapter's contract tests
(`FLEX-WP-0004 T01`). Both code paths MUST produce identical
normalized envelopes for the same fixture.
Reference in New Issue View Git Blame Copy Permalink