From 393abf3e0e24b360521ad9190e77de097439a419 Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 22 May 2026 14:35:29 +0200 Subject: [PATCH] Reference IAM Profile v0.2 --- README.md | 19 ++++++++++++------- wiki/KeyCapeSpecification_v0.1.md | 26 ++++++++++++++++++-------- 2 files changed, 30 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 35fb0dd..826407a 100644 --- a/README.md +++ b/README.md @@ -3,9 +3,11 @@ *Prepare for Keycloak without Keycloak* KeyCape is the lightweight IAM component of [NetKingdom](../net-kingdom/). It -implements the **NetKingdom IAM Profile** — a versioned OIDC/PKCE contract — -by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is -implemented by Keycloak in expanded-mode deployments. +implements lightweight mode for the **NetKingdom IAM Profile** — a versioned +OIDC/PKCE contract whose canonical core is now +`../net-kingdom/canon/standards/iam-profile_v0.2.md` — by orchestrating +Authelia, LLDAP, and privacyIDEA. The same profile is implemented by Keycloak +in expanded-mode deployments. Applications integrate against the profile, not against Keycape internals. This makes the lightweight → expanded migration a tested, automated operation rather @@ -20,7 +22,7 @@ than a rewrite. ``` Application - │ (NetKingdom IAM Profile) + │ (NetKingdom IAM Profile v0.2) ▼ KeyCape ←── profile enforcement, claim normalization, telemetry / | \ @@ -28,7 +30,8 @@ Auth LLDAP privacyIDEA elia ``` -**Expanded mode:** Replace KeyCape with Keycloak. Same profile, same tests pass. +**Expanded mode:** Replace KeyCape with Keycloak. Same profile contract, same +conformance suite in `../net-kingdom/tools/iam-profile-conformance/`. ## Quick Start @@ -105,8 +108,10 @@ KeyCape enforces the NetKingdom IAM Profile. Violations return structured errors | `rejected_for_profile_safety` | Would weaken security guarantees | | `invalid_profile_usage` | Supported feature used incorrectly | -Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic client -registration, no identity brokering, PKCE S256 required. +Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic +client registration, no identity brokering, PKCE S256 required. Profile v0.2 +also requires normalized tenant, principal type, groups, roles, scopes, and +assurance evidence in tokens consumed by applications and flex-auth. ## Migration Tools diff --git a/wiki/KeyCapeSpecification_v0.1.md b/wiki/KeyCapeSpecification_v0.1.md index bd38f79..c803cab 100644 --- a/wiki/KeyCapeSpecification_v0.1.md +++ b/wiki/KeyCapeSpecification_v0.1.md @@ -224,9 +224,13 @@ The lightweight stack shall be considered valid production infrastructure where --- -## 8. NetKingdom IAM Profile v0.1 +## 8. NetKingdom IAM Profile -This section defines the initial minimum profile to be supported. +This section defines the initial minimum profile supported by the KeyCape v0.1 +specification. The canonical NetKingdom profile has since moved to +`net-kingdom/canon/standards/iam-profile_v0.2.md`; KeyCape conformance should +be measured against that profile and the executable suite in +`net-kingdom/tools/iam-profile-conformance/`. ## 8.1 Supported authentication model @@ -282,11 +286,15 @@ Initial standard claims may include: * `email` if present * `name` if present -Optional NetKingdom-specific claims may include: +NetKingdom profile v0.2 requires these normalized claims before applications +or flex-auth consume a token: -* groups -* roles -* tenant or environment markers if explicitly defined +* `tenant` +* `principal_type` +* `groups` +* `roles` +* `scope` or `scp` +* `assurance` Claim names, types, and semantics must be fixed by the profile and validated in tests. @@ -786,9 +794,11 @@ Canonical fixtures conform if they pass canonical model and LDAP schema validati The following implementation artifacts should be created next: -### 21.1 NetKingdom IAM Profile v0.1 +### 21.1 NetKingdom IAM Profile -A more formal profile document with endpoint-by-endpoint detail. +A formal canonical profile document now exists in net-kingdom as +`canon/standards/iam-profile_v0.2.md`, with endpoint-by-endpoint detail, +tenant/principal/assurance claims, and executable conformance checks. ### 21.2 Canonical identity model schema