Authentication Authorization Standard¶
Purpose¶
This standard defines API authentication and authorization expectations for future Algosure API contracts.
Authentication Model¶
| Caller | Standard |
|---|---|
| Mobile app | Keycloak-issued access token using approved client configuration. |
| Web app | Keycloak-issued access token using approved web client configuration. |
| Backend service | Keycloak service account or approved internal service credential. |
| AIOS tool call | Governed internal caller identity with scoped tenant, actor, and task context. |
| Integration | Integration credential or service account separated from user-session credentials. |
Authorization Model¶
Keycloak authenticates callers and issues tokens. Identity remains the business source of truth for Algosure authorization decisions, organization membership, tenant access, roles, permissions, API keys, and audit context.
sequenceDiagram
participant Client
participant Keycloak
participant API
participant Identity
participant Billing
participant Domain
Client->>Keycloak: Authenticate
Keycloak-->>Client: JWT access token
Client->>API: Request with token
API->>API: Validate token
API->>Identity: Evaluate tenant, role, permission, policy
API->>Billing: Check entitlement where required
API->>Domain: Execute owning application service
Required Checks¶
| Check | Owner |
|---|---|
| Token validation | API security layer with Spring Security. |
| User, service, or integration subject interpretation | Identity. |
| Membership and tenant access | Identity. |
| Organization context validation | Identity with Organization reference. |
| Role and permission checks | Identity. |
| Domain policy checks | Owning Domain. |
| Entitlement checks | Billing. |
| Feature flag and platform policy input | Administration where applicable. |
| Audit | Owning Domain with security metadata. |
Rules¶
- APIs fail closed when authentication or required context is missing.
- Access tokens must not be treated as ownership facts.
- Token claims may assist context resolution but must not replace Identity authorization.
- Service accounts must be least-privilege and scoped.
- AIOS calls must be at least as constrained as human calls.
- Sensitive commands may require MFA, approval, or elevated policy checks.