Close IAM Profile integration gate

This commit is contained in:
2026-06-28 00:20:05 +02:00
parent 7d823bd12f
commit 4158f05cff
4 changed files with 42 additions and 14 deletions

View File

@@ -91,7 +91,7 @@ Cross-reference: net-kingdom NK-WP-0002.
```task
id: CUST-WP-0025-T03
status: todo
status: done
priority: medium
state_hub_task_id: "e9894ac9-add3-45a6-9893-ea67c6e5e260"
```
@@ -104,7 +104,17 @@ Write a minimal test service + integration test that:
This test becomes the template for hub-core auth middleware.
2026-06-27 sequencing update: this remains the real open identity gate, but it should target the current NetKingdom IAM Profile v0.2 contract and either local-identity or KeyCape lightweight issuer, not the archived `NK-WP-0001` Keycloak path.
2026-06-27 sequencing update: this was kept as the real identity gate, targeted at the current NetKingdom IAM Profile v0.2 contract and either local-identity or KeyCape lightweight issuer, not the archived `NK-WP-0001` Keycloak path.
Completed 2026-06-27: Core Hub now has a reusable FastAPI IAM Profile verifier
and dependency in `/home/worsch/core-hub/src/core_hub/iam_profile.py`.
`tests/test_iam_profile.py` proves a fixture IAM Profile issuer can expose OIDC
discovery/JWKS, issue an authorization-code + PKCE token, call a protected
FastAPI endpoint, and validate issuer, audience, expiry, roles, groups, scopes,
tenant, principal type, and assurance claims. Negative tests reject missing
bearer tokens, wrong audience, and production use of local-development issuers.
This closes the identity integration template without requiring NetKingdom repo
changes or production secrets.
### T04 — Canon standard: IAM Profile specification