AgileWebs/thalos-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
development
thalos-service/docs/identity/token-policy-and-use-cases.md
José René White Enciso 96c53d9dab feat(thalos-service): add canonical session flows 
Why: provide service-side canonical login/refresh orchestration for session-based web auth.

What: add session contracts, refresh token codec with provider-agnostic secret boundary, grpc session methods, DI wiring, tests, and docs.

Rule: preserve thalos identity ownership and keep transport adapters at service edge.
2026-03-08 14:48:35 -06:00

28 lines
1.2 KiB
Markdown
Raw Permalink Blame History

# Token Policy and Use Cases
## Use-Case Boundaries
- `IIssueIdentityTokenUseCase`: orchestrates token issuance behavior.
- `IEvaluateIdentityPolicyUseCase`: orchestrates policy evaluation behavior.
- `IIdentityTokenReadPort`: DAL-facing identity token boundary.
- `IIdentityPolicyContextReadPort`: DAL/integration-facing identity policy context boundary.
## Contract Integration
- Policy orchestration uses Thalos-owned transport-neutral identity contracts.
- gRPC translation boundaries are isolated behind `IIdentityPolicyGrpcContractAdapter`.
- Service contracts remain transport-neutral at the application boundary.
## Policy Baseline
- Token issuance and policy evaluation are orchestrated in service use cases.
- Data retrieval and persistence details remain in thalos-dal and identity adapters.
- Protocol adaptation remains outside use-case logic.
## Session Extension
- `IStartIdentitySessionUseCase`: orchestrates canonical session login/start behavior.
- `IRefreshIdentitySessionUseCase`: orchestrates canonical session refresh behavior.
- Refresh token security is implemented via provider-agnostic `IIdentitySecretMaterialProvider`.
- Runtime gRPC session contract details are documented in `docs/identity/session-runtime-contract.md`.
Reference in New Issue View Git Blame Copy Permalink