Skip to content

ConnectSoft Identity Platform Security Model

The Identity Platform security model assumes browsers and public networks are untrusted. Security decisions are enforced by Authorization Server, API Gateway, Identity Service, and backend services.

Security Invariants

  • Authorization Server is the only internal token issuer.
  • APIs accept access tokens, not ID tokens.
  • Gateway validates tokens before forwarding public API traffic.
  • Backend services enforce business authorization and tenant isolation.
  • External provider tokens are not internal API credentials.
  • Tenant headers from public clients are untrusted.
  • Refresh tokens are never sent to backend services.
  • Sensitive operations require MFA or step-up MFA.

Threat Model

Threat Control
Browser token theft Prefer BFF/server-side tokens, short access token lifetime, CSP, XSS prevention.
Refresh token theft Server-side storage where possible, rotation, reuse detection, revocation.
CSRF in BFF/cookie mode SameSite cookies, anti-forgery tokens, origin checks for state-changing calls.
ID token misuse Gateway and backends reject ID tokens for APIs.
Tenant header spoofing Gateway overwrites or rejects client tenant headers and resolves tenant from validated token/context.
External provider token misuse External tokens stay inside federation integration unless explicitly used for delegated third-party API access.
Direct backend bypass Private networks, service mesh, mTLS, firewalling, and backend JWT validation.
Cross-tenant access Tenant context required, tenant predicate in repositories, audit, tests.
Stale roles/claims Short token lifetime, refresh-time claim re-evaluation, admin revocation strategy.
JWT revocation limits Short access token lifetime or reference tokens/introspection for high-risk APIs.
Signing key compromise Key isolation, rotation, JWKS rollover, incident revocation plan.

Production Hardening

  • Use HTTPS everywhere.
  • Use secure signing keys and documented key rotation.
  • Prefer Authorization Code + PKCE for browser clients.
  • Prefer BFF for high-risk browser applications.
  • Use refresh token rotation.
  • Rate limit public auth endpoints.
  • Audit admin and MFA actions.
  • Monitor failed login, failed MFA, token refresh reuse, and account linking anomalies.
  • Keep backend services inaccessible directly from the public internet.

Observability

Security-relevant telemetry must include:

  • correlation id;
  • user subject;
  • client id;
  • tenant id where available;
  • route policy name;
  • auth result;
  • MFA/assurance result;
  • external provider id for federation events.

PII and secrets must be redacted. Tokens, passwords, recovery codes, MFA secrets, and provider secrets must never be logged.