-
Notifications
You must be signed in to change notification settings - Fork 0
OIDC RBAC Deployment
Huzefaaa2 edited this page May 18, 2026
·
21 revisions
CAVRA now includes deployment references for Microsoft Entra ID and Okta OIDC with repository-scoped RBAC.
examples/identity/entra-id-oidc-rbacexamples/identity/okta-oidc-rbac
Each bundle generates:
approval-oidc.jsonapproval-jwks.jsonapproval-rbac.yamlcavra-identity.env
export CAVRA_APPROVAL_OIDC_CONFIG=.cavra/identity/entra/approval-oidc.json
export CAVRA_APPROVAL_RBAC_FILE=.cavra/identity/entra/approval-rbac.yaml
export CAVRA_CORS_ORIGINS=https://cavra-console.example.com
uvicorn cavra.api:app --host 0.0.0.0 --port 8000Validate the boundary:
curl http://127.0.0.1:8000/console/security-boundary
curl http://127.0.0.1:8000/console/session -H "Authorization: Bearer $CAVRA_CONSOLE_TOKEN"- Use tenant-specific Entra issuer metadata.
- Use exact Okta issuer metadata.
- Emit constrained
groupsorrolesclaims. - Map external groups to CAVRA approval groups.
- Scope repository permissions by repository and approver group.
- Keep JWKS refresh in an operator runbook.
- Restrict
CAVRA_CORS_ORIGINSfor hosted consoles.
- As an IAM administrator, I can map enterprise groups to CAVRA approval groups.
- As a platform engineer, I can generate CAVRA-ready identity files from Entra or Okta metadata.
- As an auditor, I can inspect console session identity and repository permissions.
OIDC/RBAC deployment references move CAVRA from local approval claims to production identity boundaries. Browser-visible console actions can rely on signed identity context and repository-scoped authorization.
Go daemon lifecycle management, daemon evidence hooks, and public sandbox URL validation after deployment from main.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion