Skip to content

ADR-0101: ConnectSoft Identity Platform Architecture

Field Value
Status Accepted (target architecture)
Date 2026-06-30
Supersedes

Context

ConnectSoft templates include Blazor Shell and microfrontend templates, API Gateway, Authorization Server, Identity Service, and backend microservice templates. These components must share a single end-to-end identity architecture so future development can implement login, registration, MFA, federation, token issuance, Gateway policy enforcement, and backend authorization consistently.

The platform must support local users, social providers, enterprise identity providers, LDAP/Active Directory, mock providers, and service-to-service access without letting each frontend or backend invent its own trust model.

Decision

  1. ConnectSoft Authorization Server is the only internal platform token issuer.
  2. Identity Service owns users, local credentials, MFA factors, recovery codes, profiles, roles, claims, tenant memberships, and external account links.
  3. External identity providers are upstream authentication sources, not internal authorization authorities.
  4. API Gateway validates ConnectSoft platform access tokens and enforces route policies before forwarding public API traffic.
  5. Backend services enforce domain authorization and tenant isolation even when Gateway has already authenticated the caller.
  6. Blazor Shell owns frontend authentication state and token acquisition for microfrontends.
  7. Microfrontends consume Shell auth state and do not independently manage login or refresh tokens.
  8. MFA state is represented through amr and/or acr claims.
  9. LDAP and Active Directory integrate through Identity Service or an upstream federation bridge, never directly from browser clients.
  10. Mock providers are valid development substitutes only when they implement the same contracts as real providers.

Consequences

  • APIs accept access tokens, not ID tokens.
  • Backend services do not trust Google, Facebook, LDAP, Keycloak, Entra ID, or AD FS tokens directly.
  • Identity Service does not issue OAuth2/OIDC platform tokens.
  • Gateway must reject, ignore, or overwrite untrusted public tenant headers.
  • Sensitive operations can require step-up MFA at Gateway and backend layers.
  • Repo-local docs must describe local responsibilities and link back to canonical architecture docs.

Threat Model Summary

Risk Decision response
Frontend token misuse Shell owns auth state; MFEs do not store refresh tokens independently.
ID token used as API credential Gateway and backends accept access tokens only.
External provider token accepted internally Authorization Server exchanges upstream identity for platform tokens.
Tenant spoofing Gateway resolves tenant from validated context and overwrites public headers.
Cross-tenant backend access Backends enforce tenant isolation and domain authorization.
MFA bypass MFA assurance is projected into tokens and enforced by policy.