StellaOps.Auth.Abstractions

Canonical telemetry metadata for the StellaOps Authority stack.

service.name resource attribute recorded by Authority components.

service.namespace resource attribute aligning Authority with other StellaOps services.

Activity source identifier used by Authority instrumentation.

Meter name used by Authority instrumentation.

Builds the default set of resource attributes (service name/namespace/version).

Optional assembly used to resolve the service version.

Resolves the service version string from the provided assembly (defaults to the Authority telemetry assembly).

Represents an IP network expressed in CIDR notation.

Initialises a new .

Canonical network address with host bits zeroed. Prefix length (0-32 for IPv4, 0-128 for IPv6).

Canonical network address with host bits zeroed.

Prefix length.

Attempts to parse the supplied value as CIDR notation or a single IP address.

Thrown when the input is not recognised.

Attempts to parse the supplied value as CIDR notation or a single IP address.

Determines whether the provided address belongs to this network.

Evaluates remote addresses against configured network masks.

Creates a matcher from raw CIDR strings.

Sequence of CIDR entries or IP addresses. Thrown when a value cannot be parsed.

Creates a matcher from already parsed masks.

Sequence of network masks.

Gets a matcher that allows every address.

Gets a matcher that denies every address (no masks configured).

Indicates whether this matcher has no masks configured and does not allow all.

Returns the configured masks.

Checks whether the provided address matches any of the configured masks.

Remote address to test. true when the address is allowed.

Default authentication constants used by StellaOps resource servers and clients.

Default authentication scheme for StellaOps bearer tokens.

Logical authentication type attached to .

Policy prefix applied to named authorization policies.

Canonical claim type identifiers used across StellaOps services.

Subject identifier claim (maps to sub in JWTs).

StellaOps tenant identifier claim (multi-tenant deployments).

OAuth2/OIDC client identifier claim (maps to client_id).

Unique token identifier claim (maps to jti).

Authentication method reference claim (amr).

Space separated scope list (scope).

Individual scope items (scp).

OAuth2 resource audiences (aud).

Identity provider hint for downstream services.

Session identifier claim (sid).

Fluent helper used to construct instances that follow StellaOps conventions.

Adds or replaces the canonical subject identifier.

Adds or replaces the canonical client identifier.

Adds or replaces the tenant identifier claim.

Adds or replaces the user display name claim.

Adds or replaces the identity provider claim.

Adds or replaces the session identifier claim.

Adds or replaces the token identifier claim.

Adds or replaces the authentication method reference claim.

Sets the name claim type appended when building the .

Sets the role claim type appended when building the .

Sets the authentication type stamped on the .

Registers the supplied scopes (normalised to lower-case, deduplicated, sorted).

Registers the supplied audiences (trimmed, deduplicated, sorted).

Adds a single audience.

Adds an arbitrary claim (no deduplication is performed).

Adds multiple claims (incoming claims are cloned to enforce value trimming).

Adds an iat (issued at) claim using Unix time seconds.

Adds an nbf (not before) claim using Unix time seconds.

Adds an exp (expires) claim using Unix time seconds.

Returns the normalised scope list (deduplicated + sorted).

Returns the normalised audience list (deduplicated + sorted).

Builds the immutable instance based on the registered data.

Factory helpers for returning RFC 7807 problem responses using StellaOps conventions.

Produces a 401 problem response indicating authentication is required.

Produces a 401 problem response for invalid, expired, or revoked tokens.

Produces a 403 problem response when access is denied.

Produces a 403 problem response for insufficient scopes.

Canonical scope names supported by StellaOps services.

Scope required to trigger Concelier jobs.

Scope required to manage Concelier merge operations.

Scope granting administrative access to Authority user management.

Scope granting administrative access to Authority client registrations.

Scope granting read-only access to Authority audit logs.

Synthetic scope representing trusted network bypass.

Scope granting read-only access to raw advisory ingestion data.

Scope granting write access for raw advisory ingestion.

Scope granting read-only access to raw VEX ingestion data.

Scope granting write access for raw VEX ingestion.

Scope granting permission to execute aggregation-only contract verification.

Normalises a scope string (trim/convert to lower case).

Scope raw value. Normalised scope or null when the input is blank.

Checks whether the provided scope is registered as a built-in StellaOps scope.

Returns the full set of built-in scopes.