# Spike

1. Twirp + GRPC (authz)
  1. idp (headless)
    * provide a thrift/grpc endpoint that is the equivalent of `Ability.allowed?(subject, permission, resource)`
  1. gitlab
2. OpenID Connect (authn) + OAuth (authz)
  * two services
    1. idp (with login pages)
      * user
      * member
      * `member_role`
    1. gitlab
      * groups
      * project
  * OpenID transaction to provide authn information to `gitlab-org/gitlab`
  * OAuth token introspection endpoint to provide token permissions
4. OPA agent style side car using declarative policy
3. API Gateway
  * using golang reverse proxy and one of the new policy dsl's


## Identity Provider (SAML IdP)

This is a tiny SAML Identity Provider for testing out interactions with
a SAML Service Provider

1. Start the server:

    $ ruby ./bin/idp

1. Use `http://localhost:8282/metadata.xml` as your SAML IdP Metadata url.

## Service Provider (SAML SP)

This is a tiny SAML Service Provider for testing out interactions with a SAML Identity Provider (IdP)

1. Start the server:

    $ ruby ./bin/sp

1. Use `http://localhost:8283/metadata.xml` as your SAML SP Metadata url.