Add StellaOps Authority planning artifacts and config templates
This commit is contained in:
root
56
StellaOps.Authority.TODOS.AuthorityCore.md
Normal file
56
StellaOps.Authority.TODOS.AuthorityCore.md
Normal file
@@ -0,0 +1,56 @@
|
||||
# StellaOps Authority — Core Service Team
|
||||
|
||||
> **Read first:** `AGENTS.md`, `StellaOps.Authority.TODOS.md`, and this plan. Update status in both TODO trackers.
|
||||
|
||||
## Mission
|
||||
Design and implement the Authority host (OpenIddict server, token lifecycles, administrative endpoints) on top of the DevEx scaffold, coordinating with Plugin, Library, and Security teams.
|
||||
|
||||
## Work Breakdown
|
||||
|
||||
| Order | Task IDs | Description | Dependencies | Acceptance |
|
||||
|-------|----------|-------------|--------------|------------|
|
||||
| 1 | CORE1 | Wire minimal API host with configuration, logging, plugin discovery, `/health` + `/ready`. | DevEx FND1–FND5 | Manual smoke: `dotnet run` returns healthy responses. |
|
||||
| 2 | CORE2 | Configure OpenIddict server endpoints & flows (password, client credentials, refresh, jwks). | CORE1 | Supports HTTPS enforcement toggle via options. |
|
||||
| 3 | CORE3 | Implement Mongo repositories for users/clients/scopes/tokens/login attempts. | CORE1 | Collections + indices documented; unit tests for CRUD. |
|
||||
| 4 | CORE4 | Integrate plugin contracts (`IIdentityProviderPlugin`, etc.) into DI; load capabilities. | PLG1 | Plugins registered through host on startup. |
|
||||
| 5 | CORE5 | Port/customize OpenIddict handlers (password/client creds validation) to use plugin contracts. | CORE4 | Unit tests for success/failure scenarios. |
|
||||
| 5a | CORE5A | Add integration tests covering token persistence & revocation via `IAuthorityTokenStore`. | CORE5 | Ensure revoked tokens denied + fixtures for access/reference tokens. |
|
||||
| 5b | CORE5B | Document token persistence & enrichment flows for resource servers/plugins. | CORE5 | Docs updated with claim expectations + revocation sync guidance. |
|
||||
| 6 | CORE6 | Implement bootstrap admin endpoints (`/internal/users`, `/internal/clients`) secured via bootstrap API key. | CORE5 | Add rate limiting + audit logs. |
|
||||
| 7 | CORE7 & CORE8 | Add structured logging, OTEL spans, and ASP.NET rate limiting for `/token`, `/authorize`. | CORE5 | Verify via integration tests, metrics exported. |
|
||||
| 8 | CORE9 | Implement token revocation + signed offline revocation manifest generation hooks. | CORE5 | CLI call returns signed JSON; tests confirm revoked tokens denied. |
|
||||
| 9 | CORE10 | Configure signing/encryption key rotation, JWKS publishing, certificate loader. | CORE5 | Document rotation steps; integration test covers key rollover. |
|
||||
|
||||
## Implementation Notes
|
||||
- All Mongo repositories must align with offline-first design (no TTL for critical data unless configurable).
|
||||
- Expose metrics counters (issued tokens, failed attempts) for DevOps consumption.
|
||||
- Coordinate with Security Guild for password hashing options (Argon2 vs PBKDF2), lockout thresholds.
|
||||
- Ensure plugin capability metadata is honored (e.g., if plugin lacks password support, reject password grants gracefully).
|
||||
- Provide integration hooks for future LDAP plugin (capability flag + TODO comment).
|
||||
|
||||
## Status
|
||||
|
||||
- [x] CORE1 – Completed 2025-10-09. Minimal API host loads validated configuration, configures Serilog, registers plugins, and exposes `/health` + `/ready`.
|
||||
- [x] CORE2 – Completed 2025-10-09. OpenIddict server configured with required endpoints, token lifetimes, sliding refresh tokens, and Development-only HTTPS relaxation.
|
||||
- [x] CORE3 – Completed 2025-10-09. Mongo storage project created with indexed Authority collections, repositories, and bootstrap migration runner.
|
||||
- [ ] CORE4 – Not started.
|
||||
- [x] CORE5 – Completed 2025-10-10 with client-credentials validation, token validation handlers, and token persistence wired through plugin contracts.
|
||||
- [ ] CORE5A – Pending integration tests for token persistence/revocation behaviour (QA + BE-Auth pairing).
|
||||
- [ ] CORE5B – Pending documentation refresh covering claims enrichment + token store expectations.
|
||||
- [x] CORE6 – Completed 2025-10-10. Bootstrap admin APIs behind API key provison users and clients through plugin stores.
|
||||
- [ ] CORE7 – Not started.
|
||||
- [ ] CORE8 – Not started.
|
||||
- [ ] CORE9 – Not started.
|
||||
- [ ] CORE10 – Not started.
|
||||
|
||||
## Deliverables
|
||||
- `StellaOps.Authority` project with tested endpoints and handlers.
|
||||
- Repository docs summarizing API responses (shared with Docs team).
|
||||
- Integration tests (Authority-only) verifying token issuance + revocation.
|
||||
- Audit logging implemented (structured with trace IDs).
|
||||
|
||||
## Coordination
|
||||
- Daily stand-up with Plugin + Libraries teams until CORE5 complete (met objective 2025-10-10).
|
||||
- Notify DevOps when `/token` contract stabilizes (OPS pipeline).
|
||||
- Work with Docs to capture endpoint behavior for `docs/11_AUTHORITY.md`.
|
||||
- Review PRs from Plugin & Libraries teams affecting Authority host.
|
||||
Reference in New Issue
Block a user