Skip to content

SSO Phase 1 Task 9: flag wiring + docs (default OFF) #265

Description

@ahmetabdullahgultekin

Why: Ship the feature dark behind config so it is reversible by env flag (per the reversible-risky-changes rule), and document how to enable + canary.

Done when:

  • Add @ConfigurationProperties SsoSessionProperties + application*.yml keys app.auth.sso-session.enabled: false, app.auth.sso-session.max-age: PT8H. Update SSO_APP_LAUNCHER_DESIGN.md ('Phase 1: done') + the api CLAUDE.md operator note (how to enable + canary plan).
  • ./mvnw -T 2C test green.
    Security acceptance (must hold before any canary): flag OFF = byte-for-byte today's behavior; forged/expired cookie never mints; step-up tenants never silently bypassed; minted tokens keep pairwise sub + real tenant_id; every silent mint audited; prompt=none with no session → login_required. Rollout: dark → staging → canary one tenant (Marmara) → broad.

source: docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md:89


Migrated from docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md (git history retains the original).

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions