stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
3aed135fb5e5791efcbe3399084e5e88f1ad0083
git.stella-ops.org/StellaOps.Authority.TODOS.AuthorityCore.md

4.6 KiB
Raw Blame History

StellaOps Authority — Core Service Team

Read first: AGENTS.md, StellaOps.Authority.TODOS.md, and this plan. Update status in both TODO trackers.

Mission

Design and implement the Authority host (OpenIddict server, token lifecycles, administrative endpoints) on top of the DevEx scaffold, coordinating with Plugin, Library, and Security teams.

Work Breakdown

Order Task IDs Description Dependencies Acceptance
1 CORE1 Wire minimal API host with configuration, logging, plugin discovery, /health + /ready. DevEx FND1FND5 Manual smoke: dotnet run returns healthy responses.
2 CORE2 Configure OpenIddict server endpoints & flows (password, client credentials, refresh, jwks). CORE1 Supports HTTPS enforcement toggle via options.
3 CORE3 Implement Mongo repositories for users/clients/scopes/tokens/login attempts. CORE1 Collections + indices documented; unit tests for CRUD.
4 CORE4 Integrate plugin contracts (IIdentityProviderPlugin, etc.) into DI; load capabilities. PLG1 Plugins registered through host on startup.
5 CORE5 Port/customize OpenIddict handlers (password/client creds validation) to use plugin contracts. CORE4 Unit tests for success/failure scenarios.
5a CORE5A Add integration tests covering token persistence & revocation via IAuthorityTokenStore. CORE5 Ensure revoked tokens denied + fixtures for access/reference tokens.
5b CORE5B Document token persistence & enrichment flows for resource servers/plugins. CORE5 Docs updated with claim expectations + revocation sync guidance.
6 CORE6 Implement bootstrap admin endpoints (/internal/users, /internal/clients) secured via bootstrap API key. CORE5 Add rate limiting + audit logs.
7 CORE7 & CORE8 Add structured logging, OTEL spans, and ASP.NET rate limiting for /token, /authorize. CORE5 Verify via integration tests, metrics exported.
8 CORE9 Implement token revocation + signed offline revocation manifest generation hooks. CORE5 CLI call returns signed JSON; tests confirm revoked tokens denied.
9 CORE10 Configure signing/encryption key rotation, JWKS publishing, certificate loader. CORE5 Document rotation steps; integration test covers key rollover.

Implementation Notes

  • All Mongo repositories must align with offline-first design (no TTL for critical data unless configurable).
  • Expose metrics counters (issued tokens, failed attempts) for DevOps consumption.
  • Coordinate with Security Guild for password hashing options (Argon2 vs PBKDF2), lockout thresholds.
  • Ensure plugin capability metadata is honored (e.g., if plugin lacks password support, reject password grants gracefully).
  • Provide integration hooks for future LDAP plugin (capability flag + TODO comment).

Status

  • CORE1 Completed 2025-10-09. Minimal API host loads validated configuration, configures Serilog, registers plugins, and exposes /health + /ready.
  • CORE2 Completed 2025-10-09. OpenIddict server configured with required endpoints, token lifetimes, sliding refresh tokens, and Development-only HTTPS relaxation.
  • CORE3 Completed 2025-10-09. Mongo storage project created with indexed Authority collections, repositories, and bootstrap migration runner.
  • CORE4 Not started.
  • CORE5 Completed 2025-10-10 with client-credentials validation, token validation handlers, and token persistence wired through plugin contracts.
  • CORE5A Pending integration tests for token persistence/revocation behaviour (QA + BE-Auth pairing).
  • CORE5B Pending documentation refresh covering claims enrichment + token store expectations.
  • CORE6 Completed 2025-10-10. Bootstrap admin APIs behind API key provison users and clients through plugin stores.
  • CORE7 Not started.
  • CORE8 Not started.
  • CORE9 Not started.
  • CORE10 Not started.

Deliverables

  • StellaOps.Authority project with tested endpoints and handlers.
  • Repository docs summarizing API responses (shared with Docs team).
  • Integration tests (Authority-only) verifying token issuance + revocation.
  • Audit logging implemented (structured with trace IDs).

Coordination

  • Daily stand-up with Plugin + Libraries teams until CORE5 complete (met objective 2025-10-10).
  • Notify DevOps when /token contract stabilizes (OPS pipeline).
  • Work with Docs to capture endpoint behavior for docs/11_AUTHORITY.md.
  • Review PRs from Plugin & Libraries teams affecting Authority host.