AgileWebs/thalos-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
85796336c6
thalos-service/docs/identity/session-runtime-contract.md
José René White Enciso dec12f912f feat(thalos-service): add google token exchange orchestration
2026-03-11 04:27:02 -06:00

1.4 KiB
Raw Blame History

Session Runtime Contract

Canonical Internal gRPC Operations

IdentityRuntime now exposes the canonical session operations consumed by thalos-bff:

  • StartIdentitySession
  • RefreshIdentitySession
  • IssueIdentityToken (compatibility)
  • EvaluateIdentityPolicy (policy guardrail)

Session Flow

  1. BFF calls StartIdentitySession with subject/tenant/provider/external token.
  2. For Google, service exchanges and validates external token claims (sub, aud, iss) before issuing session tokens.
  3. Service issues access token through existing token orchestration.
  4. Service generates refresh token through provider-agnostic session token codec.
  5. BFF calls RefreshIdentitySession with refresh token.
  6. Service validates refresh token signature/expiry and reissues session tokens.

Provider-Agnostic Secret Boundary

Session refresh token signing is bound to IIdentitySecretMaterialProvider.

  • Contract is provider-neutral.
  • Runtime binding is configuration-based by default.
  • Vault/cloud/env adapters can be swapped at DI boundaries without changing use-case code.
  • OIDC provider material uses the same boundary (no provider SDK coupling in use-case logic).

Configuration Keys

  • ThalosIdentity:Secrets:SessionSigning
  • ThalosIdentity:Secrets:Oidc:Google:ClientId
  • ThalosIdentity:Secrets:Oidc:Google:Issuer (optional, defaults to https://accounts.google.com)
  • ThalosIdentity:Secrets:Default (fallback)