Skip to content

feat(federation): versioned subject contract + render_subject(subject_scope) #139

Description

@alukach

Part of the Federated backend authentication epic (proxy-side).

What

Implement the versioned, structured subject contract and a render_subject function. AWS trust policies can only condition on :aud / :sub for generic OIDC IdPs, so all scoping context is packed into sub.

Contract (scv1 scheme — public, versioned)

scv1:conn:{connection_id}
scv1:conn:{connection_id}:account:{product_account}
scv1:conn:{connection_id}:product:{product_account}/{product_id}
fn render_subject(scope: &SubjectScope, conn_id: &str, account: &str, product: &str) -> String

Notes

  • sub is a public contract: customer trust policies hard-code its shape. Any future scv2 must be dual-minted during a transition (claim-level analog of dual-key JWKS rotation).
  • Source IDs are [a-z0-9-], so : and / are safe delimiters.

Acceptance

  • render_subject covers all three scopes
  • Unit tests assert exact strings per scope
  • Scheme tag (scv1:) present and documented as stable

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions