AgileWebs/thalos-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
feature/thalos-service-google-oidc
thalos-service/docs/identity/token-policy-and-use-cases.md
José René White Enciso 96c53d9dab feat(thalos-service): add canonical session flows 
Why: provide service-side canonical login/refresh orchestration for session-based web auth.

What: add session contracts, refresh token codec with provider-agnostic secret boundary, grpc session methods, DI wiring, tests, and docs.

Rule: preserve thalos identity ownership and keep transport adapters at service edge.
2026-03-08 14:48:35 -06:00

1.2 KiB
Raw Permalink Blame History

Token Policy and Use Cases

Use-Case Boundaries

  • IIssueIdentityTokenUseCase: orchestrates token issuance behavior.
  • IEvaluateIdentityPolicyUseCase: orchestrates policy evaluation behavior.
  • IIdentityTokenReadPort: DAL-facing identity token boundary.
  • IIdentityPolicyContextReadPort: DAL/integration-facing identity policy context boundary.

Contract Integration

  • Policy orchestration uses Thalos-owned transport-neutral identity contracts.
  • gRPC translation boundaries are isolated behind IIdentityPolicyGrpcContractAdapter.
  • Service contracts remain transport-neutral at the application boundary.

Policy Baseline

  • Token issuance and policy evaluation are orchestrated in service use cases.
  • Data retrieval and persistence details remain in thalos-dal and identity adapters.
  • Protocol adaptation remains outside use-case logic.

Session Extension

  • IStartIdentitySessionUseCase: orchestrates canonical session login/start behavior.
  • IRefreshIdentitySessionUseCase: orchestrates canonical session refresh behavior.
  • Refresh token security is implemented via provider-agnostic IIdentitySecretMaterialProvider.
  • Runtime gRPC session contract details are documented in docs/identity/session-runtime-contract.md.