stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6e45066e371667ef96fbd4cc99a05223f151f12c
git.stella-ops.org/docs/modules/authority/gaps/authority-binding-matrix.md
StellaOps Bot 6a299d231f
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Add unit tests for Router configuration and transport layers 
- Implemented tests for RouterConfig, RoutingOptions, StaticInstanceConfig, and RouterConfigOptions to ensure default values are set correctly.
- Added tests for RouterConfigProvider to validate configurations and ensure defaults are returned when no file is specified.
- Created tests for ConfigValidationResult to check success and error scenarios.
- Developed tests for ServiceCollectionExtensions to verify service registration for RouterConfig.
- Introduced UdpTransportTests to validate serialization, connection, request-response, and error handling in UDP transport.
- Added scripts for signing authority gaps and hashing DevPortal SDK snippets.
2025-12-05 08:01:47 +02:00

1.6 KiB
Raw Blame History

Authority Binding Matrix (DPoP / mTLS) — AU2/AU3

All values deterministic and sorted by flow, tenant, environment.

Enforcement Matrix

Flow Tenant scope required Binding Nonce policy Audience rules Notes
device_code tenant required; env optional DPoP (ECDSA P-256) nonce TTL 120s; single-use; clock skew ±30s aud must match service; reject wildcard Offline: tokens minted against cached JWKS; nonce list capped 1024 entries
auth_code tenant required; env required mTLS (SPIFFE) n/a (channel bound) aud == service; azp == client; enforce PKCE Supports delegated authz; cert SAN must match client_id
client_credentials tenant required; env optional DPoP (Ed25519) or mTLS nonce TTL 300s; rotate per token aud == service; forbid multi-audience Use mTLS when hardware root is available; else DPoP fallback

DPoP Requirements

  • Proof htu/htm must match request; reject if clock skew >30s.
  • JTI single-use; store for nonce TTL window; evict oldest on cap.
  • Accept curves: P-256, Ed25519; forbid P-384/521 until crypto profile registry marks active.

mTLS Requirements

  • Client cert must chain to approved trust roots per tenant.
  • SAN must include urn:stellaops:client:{client_id}.
  • Require OCSP/CRL freshness ≤10m (offline mode: last good CRL/OCSP cached and timestamped).

Negative-path examples

  • Reject DPoP without nonce; reject reuse within TTL.
  • Reject auth_code where aud contains wildcard or mismatched service.
  • Reject client_credentials with missing tenant claim or multi-audience list.