Reference IAM Profile v0.2
This commit is contained in:
parent
f45784f951
commit
393abf3e0e
2 changed files with 30 additions and 15 deletions
19
README.md
19
README.md
|
|
@ -3,9 +3,11 @@
|
|||
*Prepare for Keycloak without Keycloak*
|
||||
|
||||
KeyCape is the lightweight IAM component of [NetKingdom](../net-kingdom/). It
|
||||
implements the **NetKingdom IAM Profile** — a versioned OIDC/PKCE contract —
|
||||
by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is
|
||||
implemented by Keycloak in expanded-mode deployments.
|
||||
implements lightweight mode for the **NetKingdom IAM Profile** — a versioned
|
||||
OIDC/PKCE contract whose canonical core is now
|
||||
`../net-kingdom/canon/standards/iam-profile_v0.2.md` — by orchestrating
|
||||
Authelia, LLDAP, and privacyIDEA. The same profile is implemented by Keycloak
|
||||
in expanded-mode deployments.
|
||||
|
||||
Applications integrate against the profile, not against Keycape internals. This
|
||||
makes the lightweight → expanded migration a tested, automated operation rather
|
||||
|
|
@ -20,7 +22,7 @@ than a rewrite.
|
|||
|
||||
```
|
||||
Application
|
||||
│ (NetKingdom IAM Profile)
|
||||
│ (NetKingdom IAM Profile v0.2)
|
||||
▼
|
||||
KeyCape ←── profile enforcement, claim normalization, telemetry
|
||||
/ | \
|
||||
|
|
@ -28,7 +30,8 @@ Auth LLDAP privacyIDEA
|
|||
elia
|
||||
```
|
||||
|
||||
**Expanded mode:** Replace KeyCape with Keycloak. Same profile, same tests pass.
|
||||
**Expanded mode:** Replace KeyCape with Keycloak. Same profile contract, same
|
||||
conformance suite in `../net-kingdom/tools/iam-profile-conformance/`.
|
||||
|
||||
## Quick Start
|
||||
|
||||
|
|
@ -105,8 +108,10 @@ KeyCape enforces the NetKingdom IAM Profile. Violations return structured errors
|
|||
| `rejected_for_profile_safety` | Would weaken security guarantees |
|
||||
| `invalid_profile_usage` | Supported feature used incorrectly |
|
||||
|
||||
Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic client
|
||||
registration, no identity brokering, PKCE S256 required.
|
||||
Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic
|
||||
client registration, no identity brokering, PKCE S256 required. Profile v0.2
|
||||
also requires normalized tenant, principal type, groups, roles, scopes, and
|
||||
assurance evidence in tokens consumed by applications and flex-auth.
|
||||
|
||||
## Migration Tools
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue