Back to The Suite Identity

Auth

OpenID Connect 1.0 Identity Provider and SSO Hub

A production-grade OAuth 2.0 and OpenID Connect identity provider that serves as the authentication backbone and single sign-on hub for every CITADEL application. RS256-signed JWTs, refresh token rotation with reuse detection, WebAuthn/Passkey passwordless authentication, TOTP with backup codes, account lockout, multi-tenant organization management, and comprehensive audit logging.

Core Features

What Auth delivers out of the box.

1

OpenID Connect 1.0 Provider

Full authorization code flow with PKCE (S256 required). Supports both confidential and public clients for web applications, single-page apps, and native applications.

  • Authorization code flow with PKCE (S256 mandatory)
  • RS256-signed JWT access and ID tokens with key rotation
  • OpenID Connect Discovery endpoint (/.well-known/openid-configuration)
  • Token introspection (RFC 7662) and revocation (RFC 7009)
  • RP-initiated logout and backchannel logout
  • OAuth consent screen with per-user-client consent tracking
2

Token Security

RS256-signed JWTs with automatic refresh token rotation. Single-use refresh tokens with family tracking — compromised tokens trigger immediate family revocation, invalidating all tokens in the chain.

  • Single-use refresh tokens with rotation on every use
  • Reuse detection with automatic family revocation
  • Configurable token TTLs per client
  • Bearer token authentication for API access
  • Hashed token storage for defense in depth
  • Automatic cleanup of expired tokens, sessions, and authorization codes
3

Multi-Factor Authentication

Multiple second-factor options including TOTP, WebAuthn/Passkeys, and backup codes. Passkeys can serve as a 2FA alternative to TOTP or enable fully passwordless login with discoverable credentials.

  • TOTP with QR code setup and replay prevention
  • WebAuthn/Passkeys for passwordless login (FIDO2 discoverable credentials)
  • Passkeys as 2FA alternative to TOTP during login
  • 10 single-use backup codes with tamper-proof storage
  • Account lockout with per-user failed attempt tracking
  • Configurable MFA enforcement per organization
4

Multi-Tenant Organizations

Full multi-tenant organization management with role-based access control. Per-organization branding, OAuth client access control, and feature customization.

  • Organization roles: Owner, Admin, Member
  • Per-organization branding (logo, colors, names)
  • Per-organization OAuth client access control
  • Organization member management with role delegation
  • Last admin protection (cannot demote/deactivate last admin)
5

Email System

Customizable email template system with admin UI and live preview. Multi-transport delivery with OAuth support for Microsoft and Google.

  • Microsoft Entra/Office 365 OAuth email delivery
  • Google Workspace OAuth email delivery
  • Standard SMTP transport
  • Admin UI with email template management and live preview
  • Encrypted storage of OAuth tokens
6

Administration

Full management API and admin UI for users, OAuth clients, organizations, email templates, platform settings, and audit logs.

  • User lifecycle management with session and MFA oversight
  • OAuth client registration and secret regeneration
  • Runtime-editable platform settings
  • User sync webhooks for external provisioning
  • Comprehensive audit log viewer (30+ event types)

Key Capabilities

Cross-cutting capabilities built into Auth.

Brute-Force Protection

Per-IP and per-key rate limiting with account lockout. Failed authentication attempts trigger progressive lockouts with per-user tracking.

Comprehensive Audit Logging

30+ event types logged with timestamp, IP address, user agent, and outcome. Full audit trail for compliance and forensics.

Secure Session Management

Signed session cookies with IP and user-agent binding. Configurable idle timeout with automatic activity tracking.

AES-256-GCM Encryption

Secrets, session data, OAuth tokens, and sensitive settings encrypted at rest with industry-standard AES-256-GCM.

Argon2id Password Hashing

OWASP-recommended parameters tuned for production workloads. Constant-time comparison prevents timing attacks.

Security Headers

Strict CSP with no unsafe-inline, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and SSRF validation for custom OAuth URLs.

Technical Details

Under the hood of Auth.

Token Format RS256-signed JWT (RFC 7519) with key rotation
Password Hashing Argon2id (OWASP recommended)
Encryption AES-256-GCM encryption at rest
Protocol OpenID Connect 1.0 / OAuth 2.0
MFA Methods TOTP, WebAuthn/Passkeys, Backup Codes
Rate Limiting Per-IP and per-key with account lockout

Explore the Suite

Auth is one of seven integrated applications in CITADEL.

Ready to Get Started with Auth?

See how CITADEL Auth can streamline your operations. Talk to the Gallantic team.

Contact Gallantic