generated from coulomb/repo-seed
feat(local-identity): Stage 3 — minimal native OIDC provider (NK-WP-0002-T03)
Add local-identity serve command: a minimal Authorization Code flow OIDC server backed by file-store users. Implemented natively with no heavy OIDC library — only stdlib http.server and the cryptography package. New modules: keys.py RSA-2048 signing key generation + JWKS helpers tls.py Self-signed TLS certificate (localhost/127.0.0.1 SANs) jwt_utils.py RS256 JWT creation and verification serve.py OIDCHandler + make_handler() factory + run_server() Endpoints: /.well-known/openid-configuration, /jwks, /auth, /token, /userinfo. Server binds to 127.0.0.1 only; tokens carry iss: local-identity which production Keycloak rejects by design. 104 tests passing (16 new for Stage 3). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -144,8 +144,9 @@ Keycloak dev instance.
|
||||
```task
|
||||
id: NK-WP-0002-T03
|
||||
state_hub_task_id: eb09d287-8e08-4c88-8bd1-6f0501ef5fc8
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
commit: (pending)
|
||||
```
|
||||
|
||||
Implement `local-identity serve` — a minimal OIDC Authorization Code flow
|
||||
@@ -225,7 +226,7 @@ expiry and revocation functional.
|
||||
|
||||
- [x] `~/.local-identity/` store initialised from Linux identity; test users generated
|
||||
- [x] `local-identity list / show / export` working; Keycloak export validated
|
||||
- [ ] Minimal OIDC server passes conformance smoke test; binds localhost only
|
||||
- [x] Minimal OIDC server passes conformance smoke test; binds localhost only
|
||||
- [ ] Filesystem permissions enforced on startup; `security-check` passes
|
||||
- [ ] Audit log recording all auth events
|
||||
- [ ] `docs/LocalIdentity.md` complete with import procedure and security model
|
||||
|
||||
Reference in New Issue
Block a user