AgileWebs/thalos-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
96c53d9dab
thalos-service/docs/identity/session-runtime-contract.md
José René White Enciso 96c53d9dab feat(thalos-service): add canonical session flows 
Why: provide service-side canonical login/refresh orchestration for session-based web auth.

What: add session contracts, refresh token codec with provider-agnostic secret boundary, grpc session methods, DI wiring, tests, and docs.

Rule: preserve thalos identity ownership and keep transport adapters at service edge.
2026-03-08 14:48:35 -06:00

1.1 KiB
Raw Blame History

Session Runtime Contract

Canonical Internal gRPC Operations

IdentityRuntime now exposes the canonical session operations consumed by thalos-bff:

  • StartIdentitySession
  • RefreshIdentitySession
  • IssueIdentityToken (compatibility)
  • EvaluateIdentityPolicy (policy guardrail)

Session Flow

  1. BFF calls StartIdentitySession with subject/tenant/provider/external token.
  2. Service issues access token through existing token orchestration.
  3. Service generates refresh token through provider-agnostic session token codec.
  4. BFF calls RefreshIdentitySession with refresh token.
  5. Service validates refresh token signature/expiry and reissues session tokens.

Provider-Agnostic Secret Boundary

Session refresh token signing is bound to IIdentitySecretMaterialProvider.

  • Contract is provider-neutral.
  • Runtime binding is configuration-based by default.
  • Vault/cloud/env adapters can be swapped at DI boundaries without changing use-case code.

Configuration Keys

  • ThalosIdentity:Secrets:SessionSigning
  • ThalosIdentity:Secrets:Default (fallback)