AgileWebs/thalos-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cbf38ac9f8
thalos-service/docs/identity/session-runtime-contract.md
José René White Enciso 96c53d9dab feat(thalos-service): add canonical session flows 
Why: provide service-side canonical login/refresh orchestration for session-based web auth.

What: add session contracts, refresh token codec with provider-agnostic secret boundary, grpc session methods, DI wiring, tests, and docs.

Rule: preserve thalos identity ownership and keep transport adapters at service edge.
2026-03-08 14:48:35 -06:00

32 lines
1.1 KiB
Markdown
Raw Blame History

# Session Runtime Contract
## Canonical Internal gRPC Operations
`IdentityRuntime` now exposes the canonical session operations consumed by `thalos-bff`:
- `StartIdentitySession`
- `RefreshIdentitySession`
- `IssueIdentityToken` (compatibility)
- `EvaluateIdentityPolicy` (policy guardrail)
## Session Flow
1. BFF calls `StartIdentitySession` with subject/tenant/provider/external token.
2. Service issues access token through existing token orchestration.
3. Service generates refresh token through provider-agnostic session token codec.
4. BFF calls `RefreshIdentitySession` with refresh token.
5. Service validates refresh token signature/expiry and reissues session tokens.
## Provider-Agnostic Secret Boundary
Session refresh token signing is bound to `IIdentitySecretMaterialProvider`.
- Contract is provider-neutral.
- Runtime binding is configuration-based by default.
- Vault/cloud/env adapters can be swapped at DI boundaries without changing use-case code.
## Configuration Keys
- `ThalosIdentity:Secrets:SessionSigning`
- `ThalosIdentity:Secrets:Default` (fallback)
Reference in New Issue View Git Blame Copy Permalink