stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
fda92af9bcbaf6c1677f0d6b13609a8e04222bbc
git.stella-ops.org/docs2/api/auth-and-tokens.md
master fcb5ffe25d feat(scanner): Complete PoE implementation with Windows compatibility fix 
- Fix namespace conflicts (Subgraph → PoESubgraph)
- Add hash sanitization for Windows filesystem (colon → underscore)
- Update all test mocks to use It.IsAny<>()
- Add direct orchestrator unit tests
- All 8 PoE tests now passing (100% success rate)
- Complete SPRINT_3500_0001_0001 documentation

Fixes compilation errors and Windows filesystem compatibility issues.
Tests: 8/8 passing
Files: 8 modified, 1 new test, 1 completion report

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 14:52:08 +02:00

44 lines
1.5 KiB
Markdown
Raw Blame History

# Auth and tokens
## Authority (OIDC and OAuth2)
- Issues short-lived OpTok access tokens.
- Tokens are sender-constrained by DPoP or mTLS.
- Audiences and scopes are enforced by each service.
## Token types
- OpTok: short-lived operational access token (minutes).
- Offline token: signed token for air-gap use and local verification.
- PoE: proof of entitlement enforced by Signer.
## Claims (typical)
- iss, sub, aud, exp, iat, nbf, jti, scope
- tid (tenant), inst (installation), roles
- cnf.jkt (DPoP) or cnf.x5t#S256 (mTLS)
## Sender constraints
- DPoP binds the access token to an ephemeral key (cnf.jkt).
- mTLS binds the access token to a client certificate (cnf.x5t#S256).
- High-value audiences should require a DPoP nonce challenge.
## Proof of Entitlement (PoE)
- PoE is enforced by Signer for signing operations.
- OpTok proves who is calling; PoE proves entitlement.
- Enrollment: License Token -> PoE, bound to installation key.
## Recommended flows
- Client credentials for services and automation.
- Device code for CLI interactive login.
- Authorization code with PKCE for UI logins.
## Validation rules (resource servers)
- Verify signature, issuer, audience, exp, nbf, and scope.
- Enforce sender constraints (DPoP or mTLS).
- Enforce tenant and installation boundaries.
## Key rotation
- JWKS exposes active and retired keys.
- Keep old keys for the max token lifetime plus skew.
## Introspection
- Optional for services that require online token validation.
Reference in New Issue View Git Blame Copy Permalink