Skip to content

OIDC Federation

OIDC is the enterprise federation baseline for Astra.

Implemented

  • provider configuration
  • discovery
  • authorization-code login initiation
  • callback handling
  • login state and nonce handling
  • JWKS-backed ID token verification
  • identity linking
  • group-to-role mapping
  • claim-to-attribute mapping
  • local Astra session issuance after successful federation
  • federation audit persistence

Deferred By Decision

These are not part of the current production-ready baseline:

  • SAML federation
  • LDAP/AD sync or auth bridge

Runtime Submodules

  • contracts and persistence: astraauth.idp
  • runtime composition: astraauth.service
  • adapter endpoints: astraauth.core + astraauth.adapters

What To Expect

If you need enterprise federation today, OIDC is the supported path. If a concrete customer or deployment requires SAML or LDAP/AD later, they should be introduced as dedicated modules instead of placeholder packages.