Session Runtime Contract

Canonical Internal gRPC Operations

IdentityRuntime now exposes the canonical session operations consumed by thalos-bff:

BFF calls StartIdentitySession with subject/tenant/provider/external token.
For Google, service exchanges and validates external token claims (sub, aud, iss) before issuing session tokens.
Service issues access token through existing token orchestration.
Service generates refresh token through provider-agnostic session token codec.
BFF calls RefreshIdentitySession with refresh token.
Service validates refresh token signature/expiry and reissues session tokens.

Session refresh token signing is bound to IIdentitySecretMaterialProvider.

Contract is provider-neutral.
Runtime binding is configuration-based by default.
Vault/cloud/env adapters can be swapped at DI boundaries without changing use-case code.
OIDC provider material uses the same boundary (no provider SDK coupling in use-case logic).
Missing secrets fail explicitly at runtime; the service no longer falls back to a baked-in signing secret.
AddThalosServiceRuntime() only provides a local in-memory session-signing default when no host configuration is present, so isolated tests and developer runs stay deterministic without changing production behavior.

ThalosIdentity:Secrets:SessionSigning
ThalosIdentity:Secrets:Oidc:Google:ClientId
ThalosIdentity:Secrets:Oidc:Google:Issuer (optional, defaults to https://accounts.google.com)
ThalosIdentity:Secrets:Default (fallback)

Production hosts must provide ThalosIdentity:Secrets:SessionSigning.
Google OIDC validation must provide ThalosIdentity:Secrets:Oidc:Google:ClientId.
The optional Default key is intended for non-sensitive shared local/test values, not as a production substitute for explicit signing material.