Identity (authn & authz)
Identity splits into authentication (who is calling — ctx.authn.*) and
authorization (what they may do — ctx.authz.*). Both are large port families; the
concepts and wiring are in Identity and the
authn / OIDC integrations — this
is the port catalog.
Authentication¶
AuthnSpec declares which credential families a route accepts and which named verifier /
resolver profiles to use (profiles are how external IdPs plug in without changing the
contract):
| Field | Type | Default | Meaning |
|---|---|---|---|
name |
str \| StrEnum |
required | route name |
enabled_methods |
frozenset[AuthnMethod] |
{"token"} |
credential families: password / token / api_key |
token_profile · password_profile · api_key_profile |
str \| None |
None |
named verifier profiles (else the route default) |
resolver_profile |
str \| None |
None |
named principal-resolver profile |
Ports, via ctx.authn.<x>(spec):
| Accessor | Port | For |
|---|---|---|
authn |
AuthnPort |
authenticate a credential → AuthnIdentity |
eligibility |
PrincipalEligibilityPort |
whether a principal may authenticate |
token_lifecycle |
TokenLifecyclePort |
issue / refresh / revoke tokens |
password_lifecycle |
PasswordLifecyclePort |
set / change a password |
password_reset |
PasswordResetPort |
request / confirm a reset (the recipe) |
api_key_lifecycle |
ApiKeyLifecyclePort |
mint / rotate / revoke API keys |
password_account_provisioning |
PasswordAccountProvisioningPort |
register / provision password accounts, issue + accept invites |
principal_deactivation |
PrincipalDeactivationPort |
deactivate a principal (cascades logout) |
event_sink |
AuthnEventSink |
structured authn events (login, lockout, refresh-reuse) |
Authorization¶
AuthzSpec:
| Field | Type | Default | Meaning |
|---|---|---|---|
name |
str \| StrEnum |
required | route name |
tenancy_mode |
"global" \| "require_invocation_tenant" |
"global" |
whether grant resolution is partitioned by the invocation tenant — set require_invocation_tenant in a multi-tenant deployment |
enforce_principal_active |
bool |
True |
refuse a decision for a deactivated principal |
enforce_delegation_grant |
bool |
False |
a delegated identity (actor set) also needs a recorded delegation grant |
Ports, via ctx.authz.<x>(spec):
| Accessor | Port | For |
|---|---|---|
decision |
AuthzDecisionPort |
may this principal run this operation? |
scope |
AuthzScopePort |
which rows may they see — a query-DSL filter |
grant_query |
GrantQueryPort |
read roles / permissions / bindings |
role_assignment |
RoleAssignmentPort |
assign / revoke roles |
principal_registry |
PrincipalRegistryPort |
provision principals |
delegation · delegation_grant |
DelegationPort · DelegationGrantPort |
act-on-behalf-of delegation |
Implemented by¶
| Surface | Provider | Integration |
|---|---|---|
| Authn + authz | forze_identity (local + external-IdP presets) |
Authn · OIDC |
A mock identity provider implements the ports for tests.