Upsert Federation Configuration for a Connection

HookSource selects which resolver category the gateway runs. Only the built-in resolver category ships today; the field is preserved so new sources can be added without breaking existing configurations.

AdminCredentialsJSON is the plaintext admin credential blob. Its shape is provider-specific: for gcp_iam it is the admin service-account JSON; for gcp_oauth it is the OAuth client config JSON ({"client_id":"...", "client_secret":"..."}). Write-only — never returned on GET. Required on the initial POST when HookSource=builtin; optional on PUT (omitting it leaves the stored value unchanged).

BuiltinProvider is required when HookSource=builtin. "gcp_iam" impersonates a per-user service account via an admin SA key; "gcp_oauth" mints tokens from a per-user Google OAuth refresh token (no service accounts).

ConnectionID is the connection this federation config applies to. Populated by the server from the URL path on writes.

CreatedAt / UpdatedAt are server-set audit timestamps.

FallbackPolicy controls behavior when resolution fails. "deny" aborts the session; "static" skips federation and lets the session run on the connection's existing static credentials.

HasAdminCredentials is server-set on GET responses to let the UI know whether a credential is stored without exposing its value.

ID is the federation row's UUID. Empty on POST requests; populated on GET/PUT responses.

IdentitySourceAttribute is a JSONPath-like accessor into the Hoop user (defaults to $.user.email).

IdentityTargetTemplate is the principal template the source attribute substitutes into (defaults to "{user.email}").

TokenTTLSeconds caps the lifetime of generated credentials (default 3600, max 43200). Built-in providers may clamp lower based on cloud API limits.

HookSource selects which resolver category the gateway runs. Only the built-in resolver category ships today; the field is preserved so new sources can be added without breaking existing configurations.

AdminCredentialsJSON is the plaintext admin credential blob. Its shape is provider-specific: for gcp_iam it is the admin service-account JSON; for gcp_oauth it is the OAuth client config JSON ({"client_id":"...", "client_secret":"..."}). Write-only — never returned on GET. Required on the initial POST when HookSource=builtin; optional on PUT (omitting it leaves the stored value unchanged).

BuiltinProvider is required when HookSource=builtin. "gcp_iam" impersonates a per-user service account via an admin SA key; "gcp_oauth" mints tokens from a per-user Google OAuth refresh token (no service accounts).

ConnectionID is the connection this federation config applies to. Populated by the server from the URL path on writes.

CreatedAt / UpdatedAt are server-set audit timestamps.

FallbackPolicy controls behavior when resolution fails. "deny" aborts the session; "static" skips federation and lets the session run on the connection's existing static credentials.

HasAdminCredentials is server-set on GET responses to let the UI know whether a credential is stored without exposing its value.

ID is the federation row's UUID. Empty on POST requests; populated on GET/PUT responses.

IdentitySourceAttribute is a JSONPath-like accessor into the Hoop user (defaults to $.user.email).

IdentityTargetTemplate is the principal template the source attribute substitutes into (defaults to "{user.email}").

TokenTTLSeconds caps the lifetime of generated credentials (default 3600, max 43200). Built-in providers may clamp lower based on cloud API limits.