Wanderland Core: IDP

Identity provider with YAML-backed store. Issues tokens with scope attenuation — you cannot request a scope your roles don't permit.

YamlStore

The development/testing implementation. Loads identities from YAML, issues tokens by attenuating requested scopes against the identity's role-defined maximum.

Token Issuance

• Look up identity by name
• Check requested scopes against identity's roles (the ceiling)
• Reject any scope not permitted by roles
• Sign the token with the identity's key via PKI
• Return token with attenuated scopes

Integration with PKI

The IDP uses pki.private_key(id) to sign tokens — not a reach-around via send(:fetch). The PKI backend interface provides clean access.

The Attenuation Model

Roles define what you could do. Scopes define what you asked to do. The token carries the intersection — what you're actually allowed to do for this session.

This means a single identity with roles [:read, :write, :admin] can request a token with only [:read] for a read-only operation. The token is scoped down, not up.

Source Files

• wanderland-core/lib/wanderland/idp/yaml_store.rb