Reference IAM Profile v0.2
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled

This commit is contained in:
2026-05-22 14:35:29 +02:00
parent f45784f951
commit 393abf3e0e
2 changed files with 30 additions and 15 deletions

View File

@@ -224,9 +224,13 @@ The lightweight stack shall be considered valid production infrastructure where
---
## 8. NetKingdom IAM Profile v0.1
## 8. NetKingdom IAM Profile
This section defines the initial minimum profile to be supported.
This section defines the initial minimum profile supported by the KeyCape v0.1
specification. The canonical NetKingdom profile has since moved to
`net-kingdom/canon/standards/iam-profile_v0.2.md`; KeyCape conformance should
be measured against that profile and the executable suite in
`net-kingdom/tools/iam-profile-conformance/`.
## 8.1 Supported authentication model
@@ -282,11 +286,15 @@ Initial standard claims may include:
* `email` if present
* `name` if present
Optional NetKingdom-specific claims may include:
NetKingdom profile v0.2 requires these normalized claims before applications
or flex-auth consume a token:
* groups
* roles
* tenant or environment markers if explicitly defined
* `tenant`
* `principal_type`
* `groups`
* `roles`
* `scope` or `scp`
* `assurance`
Claim names, types, and semantics must be fixed by the profile and validated in tests.
@@ -786,9 +794,11 @@ Canonical fixtures conform if they pass canonical model and LDAP schema validati
The following implementation artifacts should be created next:
### 21.1 NetKingdom IAM Profile v0.1
### 21.1 NetKingdom IAM Profile
A more formal profile document with endpoint-by-endpoint detail.
A formal canonical profile document now exists in net-kingdom as
`canon/standards/iam-profile_v0.2.md`, with endpoint-by-endpoint detail,
tenant/principal/assurance claims, and executable conformance checks.
### 21.2 Canonical identity model schema