nucleus-identity-projection 0.1.0

Identity projection lifter for the Nucleus substrate. Lifts a JWT-SVID (SPIFFE 2.0) into a Projection::Identity body that the substrate Receipt envelope can carry. Verifier path validates the SVID against a published JWKS — fully offline once the JWKS is fetched.
Documentation

nucleus-identity-projection

Crates.io Docs.rs

Identity projection lifter for the Nucleus substrate. Lifts a SPIFFE JWT-SVID into the typed body of a Projection::Identity variant, then verifies it offline against a published JWKS.

Wire shape

{
  "kind": "identity",
  "body": {
    "version": 1,
    "subject":   "spiffe://example.local/agent",
    "audience":  "nucleus-substrate",
    "issuer_kid": "...",
    "svid_jwt":  "eyJhbGciOiJFZERTQSI..."
  }
}

Verifier path

use nucleus_identity_projection::{IdentityBody, verify_identity_projection};

let body: IdentityBody = serde_json::from_value(projection_body)?;
let token = verify_identity_projection(&body, &jwks_json)?;
println!("verified sub: {}", token.claims.sub);

Checks performed:

  1. Body version matches IDENTITY_BODY_VERSION (1).
  2. JWKS contains an Ed25519 key with kid == body.issuer_kid.
  3. JWT signature verifies (Algorithm::EdDSA).
  4. JWT aud matches body.audience.
  5. JWT sub matches body.subject.
  6. JWT exp is in the future.

SPIFFE reference

JWT-SVID per the SPIFFE specification.

License

Dual-licensed under MIT OR Apache-2.0.