Back to The Suite Identity

Auth

OpenID Connect 1.0 Identity Provider

A standards-compliant OAuth 2.0 and OpenID Connect identity provider that serves as the authentication backbone for every CITADEL application. RS256-signed JWTs, refresh token rotation with reuse detection, and TOTP-based multi-factor authentication.

Core Features

What Auth delivers out of the box.

1

OpenID Connect 1.0 Provider

Full authorization code flow with PKCE (S256 required). Supports both confidential and public clients for web applications, single-page apps, and native applications.

  • Authorization code flow with PKCE (S256 mandatory)
  • RS256-signed JWT access and ID tokens
  • OpenID Connect Discovery endpoint (/.well-known/openid-configuration)
  • UserInfo endpoint with standard and custom claims
  • Public client support without client secrets
2

Token Security

RS256-signed JWTs with automatic refresh token rotation. Compromised tokens trigger immediate family revocation, invalidating all tokens in the chain.

  • Refresh token rotation on every use
  • Reuse detection with automatic family revocation
  • Configurable token TTLs per client
  • Bearer token authentication for API access
  • Signed token validation without database lookups
3

Multi-Factor Authentication

TOTP-based two-factor authentication with QR code provisioning. Per-user rate limiting prevents brute-force attacks against TOTP codes.

  • TOTP with QR code setup flow
  • Per-user attempt rate limiting
  • Configurable enforcement per organization
  • Backup recovery options
4

Admin API

Full management API for users, OAuth clients, and organizations. Programmatically provision and manage the entire identity infrastructure.

  • User lifecycle management (create, update, disable, delete)
  • OAuth client registration and credential rotation
  • Role and permission assignment
  • Organization provisioning and configuration

Key Capabilities

Cross-cutting capabilities built into Auth.

Brute-Force Protection

Per-IP and per-key rate limiting with configurable thresholds. Failed authentication attempts trigger progressive lockouts.

Comprehensive Audit Logging

Every authentication event is logged with timestamp, IP address, user agent, and outcome. Full audit trail for compliance.

Secure Session Management

Encrypted HttpOnly cookies with configurable expiry. SameSite=Strict and Secure flags enforced in production.

Argon2id Password Hashing

OWASP-recommended Argon2id hashing with tuned parameters. No plaintext passwords ever stored or logged.

CORS Policy Management

Per-environment origin allowlists. Strict CORS configuration prevents unauthorized cross-origin authentication requests.

Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy applied to all responses.

Technical Details

Under the hood of Auth.

Token Format RS256-signed JWT (RFC 7519)
Password Hashing Argon2id (OWASP recommended)
Session Storage Encrypted HttpOnly cookies
Protocol OpenID Connect 1.0 / OAuth 2.0
MFA Method TOTP (RFC 6238)
Rate Limiting Per-IP and per-key (Governor)

Explore the Suite

Auth is one of seven integrated applications in CITADEL.

Lifecycle Contracts Operations Time Finance Invoice Service Support Outreach Events Strategy Engage

Ready to Get Started with Auth?

See how CITADEL Auth can streamline your operations. Talk to the Gallantic team.

Contact Gallantic