StellaOps.Auth.ServerIntegration

Dependency injection helpers for configuring StellaOps resource server authentication.

Registers JWT bearer authentication and related authorisation helpers using the provided configuration section.

The service collection. Application configuration. Optional configuration section path. Defaults to Authority:ResourceServer. Provide null to skip binding. Optional callback allowing additional mutation of .

Cached configuration manager for StellaOps Authority metadata and JWKS.

Extension methods for configuring StellaOps authorisation policies.

Requires the specified scopes using the StellaOps scope requirement.

Registers a named policy that enforces the provided scopes.

Adds the scope handler to the DI container.

Evaluates whether a request qualifies for network-based bypass.

Provides two extension methods for the .stella-ops.local hostname convention: — called on before Build(); binds both https://{serviceName}.stella-ops.local (port 443) and http://{serviceName}.stella-ops.local (port 80). — called on after Build(); checks DNS for the friendly hostname and logs the result.

Configuration key used to communicate local-binding status from the builder phase to the app phase.

Configuration key storing the service name for use in the app phase.

Resolves {serviceName}.stella-ops.local to its dedicated loopback IP (from the hosts file), then binds https://{hostname} (port 443) and http://{hostname} (port 80) on that IP. Each service uses a unique loopback address (e.g. 127.1.0.2) so ports never collide.

Backwards-compatible overload — reads the service name from configuration set by .

Registers a startup callback that checks DNS for {serviceName}.stella-ops.local and logs the result. Also warns if the local bindings were skipped.

Options controlling StellaOps resource server authentication.

Gets or sets the Authority (issuer) URL that exposes OpenID discovery.

Optional explicit OpenID Connect metadata address.

Audiences accepted by the resource server (validated against the aud claim).

Scopes enforced by default authorisation policies.

Tenants permitted to access the resource server (empty list disables tenant checks).

Networks permitted to bypass authentication (used for trusted on-host automation).

Whether HTTPS metadata is required when communicating with Authority.

Back-channel timeout when fetching metadata/JWKS.

Clock skew tolerated when validating tokens.

Lifetime for cached discovery/JWKS metadata before forcing a refresh.

Gets or sets a value indicating whether stale metadata/JWKS may be reused if Authority is unreachable.

Additional tolerance window during which stale metadata/JWKS may be reused when offline fallback is allowed.

Gets the canonical Authority URI (populated during validation).

Gets the normalised scope list (populated during validation).

Gets the normalised tenant list (populated during validation).

Gets the network matcher used for bypass checks (populated during validation).

Validates provided configuration and normalises collections.

Named authorization policies for StellaOps observability and evidence resource servers.

Observability dashboards/read-only access policy name.

Observability incident activation policy name.

Timeline read policy name.

Timeline write policy name.

Evidence create policy name.

Evidence read policy name.

Evidence hold policy name.

Attestation read policy name.

Export viewer policy name.

Export operator policy name.

Export admin policy name.

Pack read policy name.

Pack write policy name.

Pack run policy name.

Pack approval policy name.

Registers all observability, timeline, evidence, attestation, and export authorization policies.

Registers Task Pack registry, execution, and approval authorization policies.

The authorization options to update.

Handles evaluation.

Authorisation requirement enforcing StellaOps scope membership.

Initialises a new instance of the class.

Scopes that satisfy the requirement.

Gets the required scopes.