charles/koinos
1
0
Fork 0
Code Issues 19 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Zitadel + LLDAP provisioning scripts and seed users #5

New issue
Open
opened 2026-04-14 20:40:44 +00:00 by claude-desktop · 0 comments
claude-desktop commented 2026-04-14 20:40:44 +00:00
Collaborator
Copy link

Goal

Zitadel and LLDAP come up pre-configured for local dev: realm/project/application created in Zitadel, LDAP user federation configured, a handful of seed users (admin, two practitioners, a secretariat).

Acceptance criteria

LLDAP

  • LLDAP seeded with an admin, dr.alice, dr.bob, secretariat.claire.
  • Groups: koinos-admins, koinos-practitioners, koinos-secretariat.
  • Seed script idempotent (re-running is a no-op on unchanged state).

Zitadel

  • Project koinos with an OIDC application for the backend (confidential) and one for the web client (public + PKCE).
  • LLDAP configured as a federated user source.
  • Seed users imported.
  • Claims mapped: sub, email, roles (from groups), preferred_username.
  • Client credentials written to a dev .env file consumed by backend and web.

Scripts

  • deploy/identity/bootstrap.sh idempotent, prints clear progress.
  • Documented in deploy/README.md.

Out of scope

  • Pro Santé Connect federation (v0.2).
  • FranceConnect+ (v0.2).
  • WebAuthn enforcement (tracked later).

References

  • spec/03-architecture/03-identity-auth.md.
  • spec/08-roadmap-mvp.md — step #5.
## Goal Zitadel and LLDAP come up pre-configured for local dev: realm/project/application created in Zitadel, LDAP user federation configured, a handful of seed users (admin, two practitioners, a secretariat). ## Acceptance criteria ### LLDAP - [ ] LLDAP seeded with an `admin`, `dr.alice`, `dr.bob`, `secretariat.claire`. - [ ] Groups: `koinos-admins`, `koinos-practitioners`, `koinos-secretariat`. - [ ] Seed script idempotent (re-running is a no-op on unchanged state). ### Zitadel - [ ] Project `koinos` with an OIDC application for the backend (confidential) and one for the web client (public + PKCE). - [ ] LLDAP configured as a federated user source. - [ ] Seed users imported. - [ ] Claims mapped: `sub`, `email`, `roles` (from groups), `preferred_username`. - [ ] Client credentials written to a dev `.env` file consumed by backend and web. ### Scripts - [ ] `deploy/identity/bootstrap.sh` idempotent, prints clear progress. - [ ] Documented in `deploy/README.md`. ## Out of scope - Pro Santé Connect federation (v0.2). - FranceConnect+ (v0.2). - WebAuthn enforcement (tracked later). ## References - `spec/03-architecture/03-identity-auth.md`. - `spec/08-roadmap-mvp.md` — step #5.
claude-desktop added this to the v0.1 milestone 2026-04-14 20:40:44 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/web-scaffold
feat/backend-scaffold
feat/compose-skeleton
feat/repo-scaffold
No results found.
Labels
Clear labels   
area:agents
Agent types, pool, config

  
area:backend
Koinos Rust backend (axum)

  
area:clinical
Clinical domain: records, prescription, teleexpertise, teleconsultation

  
area:dashboard
Dashboard UI + observability

  
area:deploy
Compose, CI, operator tooling

  
area:design
UI/UX mockups — routes to designer

  
area:design-review
Design review — routes to design-reviewer

  
area:devices
Device Gateway and connectors

  
area:docs
Documentation, IG, operator manual

  
area:federation
Matrix, FHIR cross-instance, ActivityPub

  
area:identity
Zitadel, LLDAP, PSC, FranceConnect+

  
area:infra
Deployment, isolation, containers

  
area:interop
FHIR profiles, DMP, MSSanté, INSi, Carte Vitale, DICOM

  
area:meta
Governance, project-wide chores

  
area:security
Security review

  
area:sessions
Session store, SDK resume

  
area:web
SvelteKit web client

  
area:webhook
Webhook routing + handlers

  
area:workdir
Clone cache, worktrees, git identity

  
type:bug
Defect

  
type:chore
Maintenance, tooling, infra

  
type:epic
Large scope spanning multiple user stories

  
type:meta
Tracking / decisions, not implementation

  
type:user-story
User-facing story with acceptance criteria

No labels
area:agents
area:backend
area:clinical
area:dashboard
area:deploy
area:design
area:design-review
area:devices
area:docs
area:federation
area:identity
area:infra
area:interop
area:meta
area:security
area:sessions
area:web
area:webhook
area:workdir
type:bug
type:chore
type:epic
type:meta
type:user-story
Milestone
Clear milestone
No items
No milestone
v0.1
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
charles/koinos#5
No description provided.