{"id":"identity-session-and-authorization-complete","text":"OpenShift identity management forms a complete chain from authentication through session management to authorization: OAuth providers create User/Identity objects that map to sessions (OAuthAccessToken lifecycle with active revocation), which are then evaluated against dual authorization systems (OpenShift auth + K8s RBAC) — revoking a session invalidates all authorization decisions for that identity.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["identity-to-authorization-governance-chain","oauth-session-lifecycle-management"],"outlist":[],"label":"depth-2 identity-to-authorization covers the static mapping; depth-1 session lifecycle adds the temporal dimension — combining reveals that authorization is not just identity-based but session-scoped, and revocation propagates through the entire chain"}],"dependents":["identity-governs-operator-and-workload-access"],"metadata":{},"explanation":{"steps":[{"node":"identity-session-and-authorization-complete","truth_value":"IN","reason":"SL justification valid","antecedents":["identity-to-authorization-governance-chain","oauth-session-lifecycle-management"],"label":"depth-2 identity-to-authorization covers the static mapping; depth-1 session lifecycle adds the temporal dimension — combining reveals that authorization is not just identity-based but session-scoped, and revocation propagates through the entire chain"},{"node":"identity-to-authorization-governance-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["openshift-identity-lifecycle-chain","openshift-extends-k8s-authorization-model"],"label":"Identity chain output (authenticated users) is the input to the authorization model — combining reveals the full access control pipeline"},{"node":"openshift-identity-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-config-singleton-named-cluster","oauth-requires-integratedoauth-type","user-api-group-user-openshift-io","useridentitymapping-maps-user-to-identity","oauthclientauthorization-delete-revokes"],"label":"Five resources form a directed chain from authentication config to session lifecycle"},{"node":"oauth-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"oauth-requires-integratedoauth-type","truth_value":"IN","reason":"premise"},{"node":"user-api-group-user-openshift-io","truth_value":"IN","reason":"premise"},{"node":"useridentitymapping-maps-user-to-identity","truth_value":"IN","reason":"premise"},{"node":"oauthclientauthorization-delete-revokes","truth_value":"IN","reason":"premise"},{"node":"openshift-extends-k8s-authorization-model","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-two-authorization-api-groups","openshift-has-own-authorization-api","scc-api-group-security-openshift","default-clusterroles-list"],"label":"Parallel authorization APIs reflect OpenShift's extension of Kubernetes security model"},{"node":"ocp-two-authorization-api-groups","truth_value":"IN","reason":"premise"},{"node":"openshift-has-own-authorization-api","truth_value":"IN","reason":"premise"},{"node":"scc-api-group-security-openshift","truth_value":"IN","reason":"premise"},{"node":"default-clusterroles-list","truth_value":"IN","reason":"premise"},{"node":"oauth-session-lifecycle-management","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-five-api-resources","oauth-delete-token-revokes-session","delete-oauthaccesstoken-revokes-session"],"label":"OAuth token deletion as the primary session revocation mechanism"},{"node":"oauth-five-api-resources","truth_value":"IN","reason":"premise"},{"node":"oauth-delete-token-revokes-session","truth_value":"IN","reason":"premise"},{"node":"delete-oauthaccesstoken-revokes-session","truth_value":"IN","reason":"premise"}]}}