96c53d9dab
Why: provide service-side canonical login/refresh orchestration for session-based web auth. What: add session contracts, refresh token codec with provider-agnostic secret boundary, grpc session methods, DI wiring, tests, and docs. Rule: preserve thalos identity ownership and keep transport adapters at service edge.
32 lines
1.1 KiB
Markdown
32 lines
1.1 KiB
Markdown
# Session Runtime Contract
|
|
|
|
## Canonical Internal gRPC Operations
|
|
|
|
`IdentityRuntime` now exposes the canonical session operations consumed by `thalos-bff`:
|
|
|
|
- `StartIdentitySession`
|
|
- `RefreshIdentitySession`
|
|
- `IssueIdentityToken` (compatibility)
|
|
- `EvaluateIdentityPolicy` (policy guardrail)
|
|
|
|
## Session Flow
|
|
|
|
1. BFF calls `StartIdentitySession` with subject/tenant/provider/external token.
|
|
2. Service issues access token through existing token orchestration.
|
|
3. Service generates refresh token through provider-agnostic session token codec.
|
|
4. BFF calls `RefreshIdentitySession` with refresh token.
|
|
5. Service validates refresh token signature/expiry and reissues session tokens.
|
|
|
|
## Provider-Agnostic Secret Boundary
|
|
|
|
Session refresh token signing is bound to `IIdentitySecretMaterialProvider`.
|
|
|
|
- Contract is provider-neutral.
|
|
- Runtime binding is configuration-based by default.
|
|
- Vault/cloud/env adapters can be swapped at DI boundaries without changing use-case code.
|
|
|
|
## Configuration Keys
|
|
|
|
- `ThalosIdentity:Secrets:SessionSigning`
|
|
- `ThalosIdentity:Secrets:Default` (fallback)
|