tegwick
393abf3e0e
19 KiB
KeyCape
Prepare for KeyCloak without KeyCloak
Keycape Specification v0.1
Status: Draft Project: NetKingdom Component: Keycape Purpose: Lightweight IAM profile implementation for small and early production environments, with explicit replaceability by Keycloak in larger or federated environments.
1. Purpose
Keycape is a profile-constrained IAM implementation for NetKingdom.
It provides the externally visible IAM contract used by NetKingdom applications in lightweight environments, while being intentionally replaceable by Keycloak in larger environments.
Keycape is not a full IAM platform and not a full Keycloak clone.
Its role is to:
- implement the NetKingdom IAM Profile
- provide a slim production-capable setup for small environments
- enforce interface discipline from the beginning
- expose telemetry on demanded functionality
- support automated replacement tests to prove migration to Keycloak
2. Design Intent
The architecture shall support two valid production modes:
2.1 Lightweight mode
Uses lightweight components for lean production and development.
Typical implementation:
- Keycape as the externally visible profile implementation
- Authelia as lightweight OIDC-capable backend where useful
- LLDAP as lightweight directory backend where useful
- privacyIDEA as MFA authority
2.2 Expanded mode
Uses more feature-rich components for scale, federation, and enterprise IAM breadth.
Typical implementation:
- Keycloak as the externally visible IAM implementation
- full LDAP directory as identity backend where needed
- privacyIDEA as MFA authority
The critical idea is:
Applications integrate against the NetKingdom IAM Profile, not against incidental behavior of Keycape, Authelia, LLDAP, or Keycloak.
3. Core Architectural Principle
Keycape shall be a contract implementation, not a platform clone.
That means:
- Keycape replicates only the relevant external interfaces
- Keycape may fulfill functionality by orchestrating underlying components
- unsupported functions must fail clearly and predictably
- profile violations must be observable through telemetry
- Keycape must remain small enough to be maintainable
4. Scope
4.1 In scope
Keycape is responsible for:
- implementing the NetKingdom IAM Profile
- exposing the external IAM endpoints required by profile-conformant clients
- normalizing identity and claims behavior across lightweight mode
- providing structured errors for unsupported functionality
- generating telemetry on requested functionality and profile drift
- supporting migration and replacement testing to Keycloak
- participating in automated data migration workflows
4.2 Out of scope
Keycape shall not attempt to provide broad parity with Keycloak in areas such as:
- identity brokering to arbitrary upstream IdPs
- general SAML platform parity
- Keycloak SPI/plugin parity
- Keycloak admin console parity
- Keycloak authorization services parity
- generic realm import/export parity
- broad compatibility with arbitrary Keycloak-specific admin APIs
- full LDAP server behavior
- enterprise IAM feature breadth beyond the defined profile
5. Terminology
5.1 NetKingdom IAM Profile
The explicit, versioned contract supported by both Keycape and Keycloak-mode deployments.
5.2 Profile implementation
A concrete runtime that implements the profile, such as Keycape or Keycloak.
5.3 Lightweight mode
Deployment mode using slim components and limited scope.
5.4 Expanded mode
Deployment mode using Keycloak and fuller directory/federation infrastructure.
5.5 Canonical identity model
A product-neutral representation of users, groups, roles, clients, and related metadata used for validation, provisioning, migration, and tests.
5.6 Canonical LDAP schema
A restricted LDAP-oriented schema profile derived from the canonical identity model and validated before provisioning or migration.
6. Functional Positioning of Components
6.1 Keycape
External contract implementation in lightweight mode.
Responsibilities:
- profile endpoints
- protocol normalization
- claim normalization
- config translation to underlying components
- unsupported-feature handling
- telemetry
6.2 Authelia
Optional lightweight backend for OIDC/session/auth flows.
Responsibilities may include:
- login/session handling
- token issuance
- client handling within supported subset
Authelia remains an internal implementation detail from the application point of view.
6.3 LLDAP
Optional lightweight LDAP-compatible identity backend.
Responsibilities may include:
- user storage
- group membership storage
- dev/bootstrap directory service
- lean production directory for small environments
LLDAP is not part of the application-facing contract.
6.4 privacyIDEA
Stable MFA and token-policy authority across both modes.
Responsibilities:
- MFA enforcement and policy
- token management where applicable
- stable security concept across migration paths
6.5 Keycloak
Replacement implementation for expanded mode.
Responsibilities:
- implement the same profile for applications
- provide wider IAM capability when needed
- optionally federate with larger directories
7. Keycape Objectives
Keycape shall satisfy the following objectives:
7.1 Contract stability
Applications should see a stable IAM surface.
7.2 Minimalism
Only the defined profile shall be implemented.
7.3 Replaceability
Replacement by Keycloak shall be continuously testable.
7.4 Observability
Demand for unsupported or non-profile functionality shall be measurable.
7.5 Migration readiness
Data and configuration required for replacement shall be exportable, transformable, and validated.
7.6 Production validity
The lightweight stack shall be considered valid production infrastructure where the required feature set stays within the profile.
8. NetKingdom IAM Profile
This section defines the initial minimum profile supported by the KeyCape v0.1
specification. The canonical NetKingdom profile has since moved to
net-kingdom/canon/standards/iam-profile_v0.2.md; KeyCape conformance should
be measured against that profile and the executable suite in
net-kingdom/tools/iam-profile-conformance/.
8.1 Supported authentication model
The initial profile shall support:
- OpenID Connect Authorization Code Flow
- PKCE
- confidential clients
- public clients only if explicitly allowed in a later profile revision
- fixed redirect URIs
- a small, stable claim set
- stable issuer behavior
- JWKS exposure
- discovery metadata
8.2 Supported endpoints
The initial profile shall define support for:
- discovery endpoint
- authorization endpoint
- token endpoint
- JWKS endpoint
- userinfo endpoint if required by supported clients
- logout endpoint only if its semantics are clearly defined in the profile
Optional endpoints such as introspection and revocation shall only be supported if there is a concrete application need.
8.3 Supported scopes
Initial mandatory scopes:
openid
Optional initial scopes, if required:
profileemailgroups
Custom scopes shall be explicitly versioned as part of the profile.
8.4 Supported claims
Initial standard claims may include:
subissaudexpiatpreferred_usernameemailif presentnameif present
NetKingdom profile v0.2 requires these normalized claims before applications or flex-auth consume a token:
tenantprincipal_typegroupsrolesscopeorscpassurance
Claim names, types, and semantics must be fixed by the profile and validated in tests.
8.5 Supported client model
Clients shall be defined in a constrained way:
- immutable client identifier
- known redirect URIs
- known scopes
- known grant types within the profile
- predictable claim mapping behavior
- minimal client-secret handling rules
- no dynamic client registration in v0.1
8.6 MFA interaction
MFA behavior shall be treated as part of the authentication policy, not as ad hoc application logic.
The profile shall define:
- when MFA is required
- whether MFA state influences token claims
- whether step-up behavior is supported
- which user/account states are considered valid for issuance
The exact MFA mechanics may be delegated to privacyIDEA.
9. Unsupported Functionality Policy
Any request beyond the profile shall be handled explicitly.
9.1 Required behavior
Keycape shall never silently emulate unsupported features in an undefined way.
9.2 Error taxonomy
The following error classes shall exist:
feature_not_supported_by_profile
The requested capability is outside the NetKingdom IAM Profile.
available_in_keycloak_mode_only
The capability may exist in expanded mode but is intentionally absent in lightweight mode.
rejected_for_profile_safety
The request is rejected because supporting it would weaken the profile’s guarantees or security discipline.
invalid_profile_usage
The client uses a supported endpoint or feature incorrectly.
9.3 Error response requirements
Errors shall be:
- machine-readable
- human-readable
- loggable
- distinguishable by category
- stable enough for automated tests
10. Canonical Identity Model
Keycape development shall use a canonical identity model independent of product-specific storage schemas.
10.1 Purpose
The canonical identity model is the source of truth for:
- test fixtures
- provisioning
- migration
- validation
- replacement testing
10.2 Core entities
At minimum:
- User
- Group
- Membership
- Client
- Role
- ClientScopeAssignment
- MFAEnrollmentReference
- DirectoryAttributes
- ProfileVersion
10.3 Canonical user fields
Minimum user fields:
- stable internal identifier
- username
- display name
- enabled/disabled state
- group memberships
- optional role memberships
- optional MFA linkage reference
- LDAP-oriented attributes required by the canonical LDAP schema
10.4 Canonical client fields
Minimum client fields:
- client ID
- display label
- allowed redirect URIs
- allowed scopes
- client type
- secret reference if applicable
- token/claim profile
- environment applicability
11. Canonical LDAP Schema
The canonical LDAP schema is the restricted LDAP expression of the canonical identity model.
It exists to ensure portability between:
- LLDAP
- larger LDAP implementations
- Keycloak federation targets where relevant
11.1 Goals
- keep LDAP usage intentionally small and portable
- prevent schema drift
- validate data before provisioning/migration
- ensure only approved attributes and structures are used
11.2 Validator requirement
A canonical LDAP schema validator is mandatory.
It shall validate:
- object class usage
- required and optional attributes
- DN placement rules
- naming rules
- group membership representation
- forbidden attributes or structures
- cross-entry consistency
- profile version compatibility
11.3 Validator modes
The validator should support:
- fixture validation
- pre-provision validation
- pre-migration validation
- post-migration verification
- drift detection in CI
12. Keycape Runtime Responsibilities
In lightweight mode Keycape shall be responsible for:
12.1 Profile endpoint exposure
Expose the agreed external endpoints.
12.2 Backend translation
Translate profile concepts into underlying Authelia/LLDAP/privacyIDEA configuration and behavior.
12.3 Claim normalization
Ensure tokens and userinfo behave according to profile definitions, regardless of backend quirks.
12.4 Unsupported-feature enforcement
Block non-profile usage with structured errors.
12.5 Telemetry
Emit data on requested behavior and unsupported demand.
12.6 Configuration export support
Produce the information needed for migration to expanded mode.
13. Telemetry Specification
Telemetry is a first-class feature of Keycape.
13.1 Purpose
Telemetry shall answer questions such as:
- which profile features are actually used
- which unsupported features are demanded
- which applications are creating pressure for expanded-mode features
- whether the current profile remains sufficient
13.2 Minimum telemetry events
Keycape shall emit events for:
- successful authentication flow start
- successful token issuance
- unsuccessful authentication attempt
- unsupported endpoint usage
- unsupported grant/scopes/claims usage
- invalid redirect or client usage
- logout attempts
- admin/config-related unsupported requests
- migration/export operations
13.3 Minimum telemetry fields
Each event should capture:
- timestamp
- environment
- deployment mode
- client ID
- endpoint
- feature category
- result status
- error class if applicable
- requested scopes
- requested grant type
- correlation ID / trace ID
13.4 Telemetry outputs
Telemetry should be usable for:
- logs
- metrics
- dashboards
- CI analysis
- migration planning
14. Migration Model
Replacement by Keycloak shall be an explicit, tested capability.
14.1 Migration dimensions
Migration has at least two independent dimensions:
A. IAM implementation migration
Keycape/lightweight implementation → Keycloak
B. Directory migration
LLDAP → full LDAP implementation
14.2 Migration principles
- migration shall be reproducible
- migration shall be test-driven
- migration shall use canonical data as the source of truth
- migration success shall be determined by application-facing contract tests
- migration shall include data validation before and after transfer
14.3 Supported migration paths
Initial required paths:
Path 1
LLDAP + Keycape stack → Keycloak with same directory data semantics
Path 2
LLDAP → full LDAP, then Keycloak federating with full LDAP
Path 3
Lightweight stack → expanded stack with privacyIDEA remaining stable
14.4 Migration outputs
Migration tooling should generate:
- transformed directory data
- client definitions
- profile conformance reports
- validation results
- contract test results
- incompatibility reports
15. Replacement Test Strategy
Automated replacement testing is mandatory.
15.1 Goal
Prove that applications relying only on the profile behave acceptably after replacement.
15.2 Required test scenarios
Scenario A: Lightweight baseline
Provision canonical fixtures into lightweight mode and run all profile integration tests.
Scenario B: IAM replacement
Replace Keycape-based implementation with Keycloak and rerun the same app-facing tests.
Scenario C: Full expansion
Migrate LLDAP data into full LDAP, connect Keycloak, and rerun tests.
Scenario D: Negative profile tests
Attempt to use unsupported functionality and verify correct error behavior and telemetry.
15.3 Test categories
Required categories:
- discovery tests
- login flow tests
- token claim tests
- redirect validation tests
- client configuration tests
- logout tests if supported
- MFA policy tests
- migration data integrity tests
- canonical LDAP schema validation tests
- telemetry assertion tests
15.4 Acceptance rule
A migration path is acceptable only if:
- profile-conformant apps keep working
- required claims remain stable
- unsupported cases fail in expected ways
- canonical identity data remains valid
- telemetry remains available where expected
16. Security Requirements
16.1 General
Keycape shall prioritize narrowness and correctness over feature breadth.
16.2 Mandatory controls
- strict redirect URI validation
- strict issuer consistency
- strict client identity validation
- no handwritten cryptography
- no handwritten password hashing implementation
- use of established protocol and crypto libraries
- minimal and explicit scope handling
- explicit token lifetime policy
- auditability of authentication decisions
16.3 Safety through profile discipline
Feature restriction is a security control.
Any expansion of the profile must be reviewed for:
- protocol complexity increase
- migration complexity increase
- test burden increase
- security surface increase
17. Configuration Principles
Keycape configuration shall be declarative.
17.1 Configuration sources
Configuration may include:
- profile definition version
- client definitions
- backend connection settings
- LDAP schema rules
- privacyIDEA integration settings
- telemetry destinations
- environment-specific overrides
17.2 Configuration constraints
Configuration should be:
- version-controlled
- environment-promotable
- statically validated where possible
- linked to profile version
- convertible into migration/export artifacts
18. Operational Modes
18.1 Dev mode
Optimized for rapid local iteration and deterministic tests.
May use:
- local LLDAP
- local Authelia
- simplified privacyIDEA integration stubs or real integration depending on environment policy
18.2 Slim production mode
A real production mode for environments whose needs fit inside the profile.
May use:
- LLDAP
- Authelia
- privacyIDEA
- Keycape
18.3 Expanded production mode
Used when federation, admin breadth, or IAM complexity exceeds the profile’s lightweight implementation strategy.
May use:
- Keycloak
- full LDAP
- privacyIDEA
19. Non-Goals
Keycape shall not pursue these goals in v0.1:
- broad Keycloak API parity
- general-purpose enterprise IAM platform status
- support for arbitrary legacy LDAP consumers through Keycloak
- plugin ecosystem parity
- realm-level multi-tenancy complexity beyond explicit profile need
- bespoke app-specific exceptions outside the profile
20. Conformance
20.1 Keycape conformance
Keycape conforms if it:
- implements the required profile endpoints and behaviors
- produces correct claims and errors
- passes all lightweight profile tests
- emits required telemetry
- supports migration/export flows required by the specification
20.2 Expanded-mode conformance
A Keycloak-based deployment conforms if it:
- passes the same application-facing profile tests
- honors the same claim model and client behavior
- supports defined migration scenarios
20.3 Fixture conformance
Canonical fixtures conform if they pass canonical model and LDAP schema validation.
21. Initial Deliverables Derived from This Specification
The following implementation artifacts should be created next:
21.1 NetKingdom IAM Profile
A formal canonical profile document now exists in net-kingdom as
canon/standards/iam-profile_v0.2.md, with endpoint-by-endpoint detail,
tenant/principal/assurance claims, and executable conformance checks.
21.2 Canonical identity model schema
Machine-readable schema for canonical fixtures.
21.3 Canonical LDAP schema and validator spec
Formal validator rules and error codes.
21.4 Keycape component design
Internal architecture, adapters, translation logic, and runtime behavior.
21.5 Replacement test matrix
End-to-end scenarios and expected outcomes.
21.6 Migration design
LLDAP → full LDAP and lightweight IAM → Keycloak data/config mapping.
xxx