generated from coulomb/repo-seed
Reference IAM Profile v0.2
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
This commit is contained in:
19
README.md
19
README.md
@@ -3,9 +3,11 @@
|
||||
*Prepare for Keycloak without Keycloak*
|
||||
|
||||
KeyCape is the lightweight IAM component of [NetKingdom](../net-kingdom/). It
|
||||
implements the **NetKingdom IAM Profile** — a versioned OIDC/PKCE contract —
|
||||
by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is
|
||||
implemented by Keycloak in expanded-mode deployments.
|
||||
implements lightweight mode for the **NetKingdom IAM Profile** — a versioned
|
||||
OIDC/PKCE contract whose canonical core is now
|
||||
`../net-kingdom/canon/standards/iam-profile_v0.2.md` — by orchestrating
|
||||
Authelia, LLDAP, and privacyIDEA. The same profile is implemented by Keycloak
|
||||
in expanded-mode deployments.
|
||||
|
||||
Applications integrate against the profile, not against Keycape internals. This
|
||||
makes the lightweight → expanded migration a tested, automated operation rather
|
||||
@@ -20,7 +22,7 @@ than a rewrite.
|
||||
|
||||
```
|
||||
Application
|
||||
│ (NetKingdom IAM Profile)
|
||||
│ (NetKingdom IAM Profile v0.2)
|
||||
▼
|
||||
KeyCape ←── profile enforcement, claim normalization, telemetry
|
||||
/ | \
|
||||
@@ -28,7 +30,8 @@ Auth LLDAP privacyIDEA
|
||||
elia
|
||||
```
|
||||
|
||||
**Expanded mode:** Replace KeyCape with Keycloak. Same profile, same tests pass.
|
||||
**Expanded mode:** Replace KeyCape with Keycloak. Same profile contract, same
|
||||
conformance suite in `../net-kingdom/tools/iam-profile-conformance/`.
|
||||
|
||||
## Quick Start
|
||||
|
||||
@@ -105,8 +108,10 @@ KeyCape enforces the NetKingdom IAM Profile. Violations return structured errors
|
||||
| `rejected_for_profile_safety` | Would weaken security guarantees |
|
||||
| `invalid_profile_usage` | Supported feature used incorrectly |
|
||||
|
||||
Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic client
|
||||
registration, no identity brokering, PKCE S256 required.
|
||||
Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic
|
||||
client registration, no identity brokering, PKCE S256 required. Profile v0.2
|
||||
also requires normalized tenant, principal type, groups, roles, scopes, and
|
||||
assurance evidence in tokens consumed by applications and flex-auth.
|
||||
|
||||
## Migration Tools
|
||||
|
||||
|
||||
Reference in New Issue
Block a user