Add ADR 0026: OAuth2/OIDC Provider (Keystone as IdP)#916
Conversation
Documents Keystone acting as an OAuth2 Authorization Server / OpenID Connect Provider for external relying parties, complementing the existing OIDC/SAML consumer-side federation stack (ADR 0006/0007/ 0008/0013/0020). Covers issuer model, a new signed-JWT token track, OAuth2Client registration, claims mapping via the existing Unified Mapping Engine interpolation primitive, grant types, and the login/consent flow.
General Review SummaryThis is an excellent and comprehensive ADR that addresses a significant product gap. The architectural decisions are well-justified, security considerations are thorough, and the reuse of existing subsystems (key-repository, mapping engine, revocation events) is commendable. Overall Assessment: Ready for approval with minor clarifications Strengths
Key Clarifications NeededThe main point that needs resolution is the relationship between ADR 0020's ADR 0020's ADR 0026's These are completely different concepts and the ADR 0020 reference is indeed a stale forward-reference with no backing implementation. Action needed: Either update ADR 0020 to remove/annotate the stale |
Inline Suggestions1. Title - Suggested ClarificationThe title "OAuth2 / OpenID Connect Provider (Keystone as IdP)" is good, but consider adding "Keystone as OP" for completeness since OIDC Provider is synonymous with OAuth2 Authorization Server + OpenID Connect Provider. Suggestion: "OAuth2 / OpenID Connect Provider (Keystone as IdP/OP)" 2. §1 Context - Define CADFFirst mention of CADF should include its expansion. Current: "a CADF audit event is emitted (ADR 0023)" 3. §3 Token Crypto - Justify 5-minute LifetimeThe 5-minute default for Suggestion: Add justification: "Lifetimes: 4. §4 Client Model - Clarify Issuer URL FormatThe global issuer uses Question: Could 5. §4 - Resolving ADR 0020 ReferenceThe current text correctly identifies this as a stale forward-reference, but should be more explicit about the distinction: Current: "ADR 0020 §8's keyspace table lists Suggestion: "ADR 0020 §8's keyspace table lists 6. §6 Scopes - Clarify Validation TimingThe ADR mentions scope validation but doesn't specify when it occurs. Suggestion: Add: "An 7. §7 Login/Consent - Clarify UI ImplementationThe ADR mentions "server-rendered HTML login form" but doesn't specify the technology. Suggestion: Add: "...serves a minimal, server-rendered HTML login form (using Rust templating crate, implementation detail TBD)..." 8. Editorial - Consistent Version ReferencesThe ADR mixes "v1" and "Version 1". Consider standardizing on one format. Examples to update:
9. §8 Integration - Rate Limiting ClarificationThe ADR mentions "per-client" rate limiting but doesn't specify the identifier for public clients. Suggestion: Clarify: " |
🎯 Final Assessment: Ready for ApprovalStatus: Approve with minor clarifications This ADR is substantively excellent and addresses a critical product gap. The architectural decisions are well-justified, security considerations are thorough, and the reuse of existing subsystems demonstrates good engineering practice. What's Great
What Needs AttentionThe clarifications I've suggested are all non-blocking and editorial in nature:
RecommendationApprove this PR once the author addresses the clarifications, particularly the ADR 0020 reference explanation. The ADR is ready for merge from a technical and architectural standpoint. To the author: Thank you for this excellent ADR! The clarifications are minor and mostly editorial. The one substantive point is making the RP vs OP distinction crystal clear in the ADR 0020 reference section. |
📝 Inline Comment SuggestionsBelow are specific line-by-line suggestions for improvements. Each can be addressed with a simple text change. Line 1: TitleCurrent: Line 412: Define CADF AcronymCurrent: Line 195-196: Justify Token LifetimeCurrent: Suggestion: Reason: The current text is cut off mid-sentence. Complete the justification. Line 235-238: Clarify ADR 0020 Reference (CRITICAL)Current: Suggestion: Reason: This is the most important clarification - makes the RP vs OP distinction crystal clear. Line 220: Clarify Scope ValidationCurrent: Line 326: Clarify Scope Validation TimingCurrent: Line 269: Clarify Issuer URLCurrent: Line 350-355: Clarify UI ImplementationCurrent: Multiple Lines: Standardize Version ReferencesIssue: The ADR mixes "v1" and "Version 1" inconsistently.
Line 405: Clarify Rate Limiting for Public ClientsCurrent: "per-source-IP and per-client token-bucket limiting" ✅ SummaryAll of these suggestions are non-blocking and editorial in nature. The most important one is Line 235-238 (ADR 0020 reference clarification) as it addresses the RP vs OP distinction you correctly identified. The ADR is technically sound and ready for approval once these clarifications are addressed. |
Documents Keystone acting as an OAuth2 Authorization Server / OpenID
Connect Provider for external relying parties, complementing the
existing OIDC/SAML consumer-side federation stack (ADR 0006/0007/
0008/0013/0020). Covers issuer model, a new signed-JWT token track,
OAuth2Client registration, claims mapping via the existing Unified
Mapping Engine interpolation primitive, grant types, and the
login/consent flow.