ConnectSoft Identity Platform Blueprint

This page is the canonical target-state architecture for the ConnectSoft Identity Platform. It defines how Blazor Shell applications, microfrontends, API Gateway, Authorization Server, Identity Service, external identity providers, and backend services work together.

The platform is designed around a single internal security authority: the ConnectSoft Authorization Server. External providers such as Google, Facebook, Keycloak, Entra ID, AD FS, LDAP, and Active Directory can authenticate users upstream, but internal APIs trust only ConnectSoft platform tokens.

Architecture Goals

• Provide one consistent login and token model for Shell and microfrontends.
• Keep token issuance centralized in the Authorization Server.
• Keep users, credentials, MFA, claims, roles, tenants, and external account links centralized in the Identity Service.
• Enforce API access at the Gateway and business access in backend services.
• Support local users, social federation, enterprise federation, LDAP/AD, MFA, step-up MFA, and mock providers.
• Allow future template development to implement against stable contracts.

Non-Goals

• This blueprint does not describe current implementation completeness.
• This blueprint does not make external provider tokens valid backend credentials.
• This blueprint does not make frontend route protection a security boundary.
• This blueprint does not require every deployment to use the same persistence or hosting model.

System Diagram

flowchart LR
    user[User Browser]

    subgraph frontend[Frontend Layer]
        shell[Blazor Shell]
        mfeSelf[Identity Self-Service MFE]
        mfeIdentityAdmin[Identity Admin MFE]
        mfeAuthAdmin[Authorization Admin MFE]
        mfeDomain[Business MFEs]
    end

    subgraph edge[Edge Layer]
        ingress[Ingress or Reverse Proxy]
        gateway[API Gateway]
    end

    subgraph identity[Identity Platform]
        auth[Authorization Server]
        ids[Identity Service]
    end

    subgraph providers[External Identity Sources]
        google[Google]
        facebook[Facebook]
        keycloak[Keycloak]
        entra[Entra ID]
        adfs[AD FS]
        ldap[LDAP or Active Directory]
        mockIdp[Mock Providers]
    end

    subgraph services[Backend Services]
        identityApi[Identity APIs]
        authAdminApi[Authorization Admin APIs]
        orders[Domain APIs]
        billing[Billing APIs]
        other[Other Microservices]
    end

    subgraph data[Data Stores]
        identityDb[(Identity DB)]
        authDb[(Authorization DB)]
        domainDb[(Domain DBs)]
        cache[(Session and Token Cache)]
    end

    user --> shell
    shell --> mfeSelf
    shell --> mfeIdentityAdmin
    shell --> mfeAuthAdmin
    shell --> mfeDomain

    shell -->|"OIDC authorize/code/PKCE or BFF cookie"| ingress
    ingress --> auth
    shell -->|"Access token or BFF cookie"| gateway
    mfeSelf --> gateway
    mfeIdentityAdmin --> gateway
    mfeAuthAdmin --> gateway
    mfeDomain --> gateway

    gateway --> identityApi
    gateway --> authAdminApi
    gateway --> orders
    gateway --> billing
    gateway --> other

    auth -->|"Internal identity contract"| ids
    ids --> identityDb
    auth --> authDb
    auth --> cache
    orders --> domainDb
    billing --> domainDb
    other --> domainDb

    auth -.-> google
    auth -.-> facebook
    auth -.-> keycloak
    auth -.-> entra
    auth -.-> adfs
    ids -.-> ldap
    auth -.-> mockIdp

Hold "Alt" / "Option" to enable pan & zoom

Component Responsibilities

Component	Owns	Does not own
Blazor Shell	Login initiation, logout, session state, token acquisition, shared MFE auth context, auth error routing	Backend authorization, token issuance, password validation
Microfrontends	Feature UI, protected routes, API calls through Gateway/BFF, consumption of Shell auth state	Independent login, refresh token storage, API security decisions
Authorization Server	OAuth2/OIDC endpoints, token issuance, federation broker, consent, refresh/revocation, token claims projection	User password store, MFA secret store, domain authorization
Identity Service	Users, credentials, MFA factors, recovery codes, profiles, roles, claims, tenants, external account links, LDAP/AD integration	OAuth2/OIDC platform token issuance
API Gateway	Access token validation, route policies, anonymous allowlist, tenant/correlation propagation, downstream forwarding	User credential verification, business ownership rules
Backend services	Domain logic, resource ownership checks, tenant isolation, audit context, optional JWT validation	Login, token issuance, external federation
External providers	Upstream authentication and external claims	Internal authorization decisions
Mock providers	Development substitutes for social, enterprise, and directory providers	Production identity assurance

Trust Boundaries

Boundary	Rule
Browser boundary	Browser code is untrusted. UI authorization improves usability but does not protect APIs.
Gateway edge boundary	Public API traffic enters through API Gateway or approved BFF endpoints. Gateway validates platform access tokens before forwarding.
Authorization boundary	Only Authorization Server issues internal platform tokens.
Identity data boundary	Identity Service owns user identity data and credential/MFA state.
Backend domain boundary	Backend services enforce domain-specific authorization and tenant isolation.
External provider boundary	External providers are upstream authentication sources. Their tokens are not backend API credentials.

Token Ownership

Token	Issuer	Consumer	Purpose
id_token	Authorization Server	Shell/BFF/frontend session logic	Identity presentation and login session context. Not valid for APIs.
access_token	Authorization Server	API Gateway and resource servers	API authorization with scopes, roles, tenant, and MFA claims.
refresh_token	Authorization Server	Shell/BFF/token client	Session renewal. Prefer server-side storage in BFF deployments.
External provider token	External IdP	Authorization Server/Identity integration only	Upstream provider access. Not an internal API credential.
Service token	Authorization Server	Service clients and APIs	Client credentials/service-to-service access.

Core Platform Rules

1. Authorization Server is the only internal platform token issuer.
2. Identity Service owns user, credential, MFA, profile, claims, roles, tenant memberships, and external account link state.
3. API Gateway accepts access tokens, not ID tokens.
4. Backend services do not trust Google, Facebook, LDAP, or enterprise IdP tokens directly.
5. Blazor Shell owns frontend authentication state and token acquisition for microfrontends.
6. Microfrontends do not independently log in users or store refresh tokens.
7. MFA state is represented through amr and/or acr claims.
8. Public client-provided tenant headers are untrusted until Gateway validates or overwrites them.
9. LDAP/Active Directory is integrated through Identity Service or an upstream federation bridge, never directly from browser clients.

Related

• Identity Platform Flows
• Identity Platform Contracts
• Identity Platform Federation
• Identity Platform MFA
• Identity Platform Security Model
• ADR-0101