stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
7b01c7d6acd233c1fdfac71cad09fd266be6bfc9
git.stella-ops.org/docs/implplan/archived/updates/2025-10-20-authority-identity-registry.md
master 7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
feat: Add comprehensive product advisories for improved scanner functionality 
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations.
- Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency.
- Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results.
- Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages.
- Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange.
- Established a validation plan for quiet scans, focusing on provenance and CI integration.
- Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
2025-11-17 00:09:26 +02:00

1.6 KiB
Raw Blame History

2025-10-20 — Authority Identity Provider Registry & DPoP nonce updates

Summary

  • Authority host now resolves identity providers through the new metadata/handle pattern introduced in StellaOps.Authority.Plugins.Abstractions. Runtime handlers (ValidateClientCredentialsHandler, ValidatePasswordGrantHandler, ValidateAccessTokenHandler, bootstrap endpoints) acquire providers with IAuthorityIdentityProviderRegistry.AcquireAsync and rely on metadata (AuthorityIdentityProviderMetadata) for capability checks.
  • Unit and integration tests build lightweight ServiceProvider instances with test plugins, matching production DI behaviour and ensuring the new registry contract is exercised.
  • DPoP nonce enforcement now prefers NormalizedAudiences when populated and gracefully falls back to the configured RequiredAudiences, eliminating the runtime type mismatch that previously surfaced during test runs.

Operator impact

  • No configuration changes are required; existing YAML and environment-based settings continue to function.
  • Documentation examples referencing password/mTLS bootstrap flows remain accurate. The new registry logic simply ensures providers advertised in configuration are resolved deterministically and capability-gated before use.

Developer notes

  • When adding new identity providers or tests, register plugins via ServiceCollection and call new AuthorityIdentityProviderRegistry(serviceProvider, logger).
  • For DPoP-required endpoints, populate security.senderConstraints.dpop.nonce.requiredAudiences or rely on defaults; both now funnel through the normalized set.