Reference IAM Profile v0.2

This commit is contained in:
tegwick 2026-05-22 14:35:29 +02:00
parent f45784f951
commit 393abf3e0e
2 changed files with 30 additions and 15 deletions

View file

@ -3,9 +3,11 @@
*Prepare for Keycloak without Keycloak*
KeyCape is the lightweight IAM component of [NetKingdom](../net-kingdom/). It
implements the **NetKingdom IAM Profile** — a versioned OIDC/PKCE contract —
by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is
implemented by Keycloak in expanded-mode deployments.
implements lightweight mode for the **NetKingdom IAM Profile** — a versioned
OIDC/PKCE contract whose canonical core is now
`../net-kingdom/canon/standards/iam-profile_v0.2.md` — by orchestrating
Authelia, LLDAP, and privacyIDEA. The same profile is implemented by Keycloak
in expanded-mode deployments.
Applications integrate against the profile, not against Keycape internals. This
makes the lightweight → expanded migration a tested, automated operation rather
@ -20,7 +22,7 @@ than a rewrite.
```
Application
│ (NetKingdom IAM Profile)
│ (NetKingdom IAM Profile v0.2)
KeyCape ←── profile enforcement, claim normalization, telemetry
/ | \
@ -28,7 +30,8 @@ Auth LLDAP privacyIDEA
elia
```
**Expanded mode:** Replace KeyCape with Keycloak. Same profile, same tests pass.
**Expanded mode:** Replace KeyCape with Keycloak. Same profile contract, same
conformance suite in `../net-kingdom/tools/iam-profile-conformance/`.
## Quick Start
@ -105,8 +108,10 @@ KeyCape enforces the NetKingdom IAM Profile. Violations return structured errors
| `rejected_for_profile_safety` | Would weaken security guarantees |
| `invalid_profile_usage` | Supported feature used incorrectly |
Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic client
registration, no identity brokering, PKCE S256 required.
Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic
client registration, no identity brokering, PKCE S256 required. Profile v0.2
also requires normalized tenant, principal type, groups, roles, scopes, and
assurance evidence in tokens consumed by applications and flex-auth.
## Migration Tools