Crate nucleus_identity_projection

Expand description

§nucleus-identity-projection — JWT-SVID adapter for the substrate

Implements the Identity projection functor from nucleus_substrate_core: lifts a JWT-SVID into the typed body of a Projection::Identity variant, and verifies it offline against a published JWKS.

§Wire shape

{
  "kind": "identity",
  "body": {
    "version": 1,
    "subject": "spiffe://example.local/agent",
    "audience": "nucleus-substrate",
    "issuer_kid": "...",
    "svid_jwt": "eyJ..."
  }
}

§Verifier path

verify_identity_projection takes the body + the issuer’s JWKS JSON, locates the Ed25519 verifying key by issuer_kid, and runs the standard jsonwebtoken decode + validate path. Claim checks:

JWT signature verifies against the JWKS key for issuer_kid.
JWT sub matches body.subject.
JWT aud matches body.audience.
JWT exp is in the future.

Any failure → IdentityVerifyError.

Structs§

IdentityBody: Wire-stable shape for the Identity projection body.
JwtSvidClaims: Minimum required JWT-SVID claims per the spec. Extra claims are allowed (and ignored here); serde_json::Value capture is left for callers that need provider-specific extensions.

Enums§

IdentityVerifyError

Constants§

IDENTITY_BODY_VERSION

Functions§

identity_projection: Build a Projection::Identity carrying the supplied JWT-SVID. Callers will typically place this into the projections field of a nucleus_substrate_core::Receipt.
verify_identity_projection: Verify an Identity projection offline against the issuer’s JWKS.

Crate nucleus_identity_projection

Crate nucleus_identity_projection Copy item path

§nucleus-identity-projection — JWT-SVID adapter for the substrate

§Wire shape

§Verifier path

Structs§

Enums§

Constants§

Functions§

Crate nucleus_identity_projection