Part of the Federated backend authentication epic (proxy-side).
What
Implement the versioned, structured subject contract and a render_subject function. AWS trust policies can only condition on :aud / :sub for generic OIDC IdPs, so all scoping context is packed into sub.
Contract (scv1 scheme — public, versioned)
scv1:conn:{connection_id}
scv1:conn:{connection_id}:account:{product_account}
scv1:conn:{connection_id}:product:{product_account}/{product_id}
fn render_subject(scope: &SubjectScope, conn_id: &str, account: &str, product: &str) -> String
Notes
sub is a public contract: customer trust policies hard-code its shape. Any future scv2 must be dual-minted during a transition (claim-level analog of dual-key JWKS rotation).
- Source IDs are
[a-z0-9-], so : and / are safe delimiters.
Acceptance
Part of the Federated backend authentication epic (proxy-side).
What
Implement the versioned, structured subject contract and a
render_subjectfunction. AWS trust policies can only condition on:aud/:subfor generic OIDC IdPs, so all scoping context is packed intosub.Contract (
scv1scheme — public, versioned)Notes
subis a public contract: customer trust policies hard-code its shape. Any futurescv2must be dual-minted during a transition (claim-level analog of dual-key JWKS rotation).[a-z0-9-], so:and/are safe delimiters.Acceptance
render_subjectcovers all three scopesscv1:) present and documented as stable