The auth module composes multiple authentication and verification planes behind shared identity and policy contracts. It acts as the primary gate for identity validation before downstream module authorization and business logic execution.
- Token and identity plane
- JWT/OIDC validation and key/JWKS handling
- principal extraction and identity normalization
- Interactive and federated auth plane
- Kerberos, LDAP, SAML, OAuth, WebAuthn, mTLS, and API-key flows
- federated identity and provider coordination
- Session and revocation plane
- session lifecycle and revocation management
- blacklist and replay/resilience controls
- Trust and policy plane
- rate-limiting, policy checks, and zero-trust verification paths
- audit and metrics emission for auth decisions
| Contract | Behavior |
|---|---|
| authentication interfaces | validate credentials/tokens and produce principal context |
| session/revocation interfaces | track and enforce active/revoked identity state |
| policy interfaces | evaluate access constraints and trust posture |
| audit/metrics interfaces | emit operational and security decision signals |
- invalid credentials/tokens fail closed with structured auth errors.
- unavailable optional providers produce explicit integration failures.
- trust/policy checks gate request continuation by design.
- Verified files:
- src/auth/jwt_validator.cpp
- src/auth/oidc_provider.cpp
- src/auth/federated_identity_manager.cpp
- src/auth/session_manager.cpp
- src/auth/token_blacklist.cpp
- src/auth/zero_trust_auth_verifier.cpp
- src/auth/auth_rate_limiter.cpp
- Verified architecture claims:
- multi-plane authentication composition
- explicit session/revocation and policy layers
- dedicated trust and observability surfaces in module