Features

Enterprise-grade identity management with comprehensive security features and modern architecture patterns.

JWT Authentication

Dual signing (HS256/RS256) with JWKS endpoint for distributed validation. Configurable expiration with claims-based identity.

Rotating Refresh Tokens

Each refresh token can only be used once. New tokens issued on refresh with IP tracking for security audit trails.

Multi-Tenant Support

Customer-based data isolation with user scoping. Users, addresses, and phone numbers all scoped to their organization.

Webhook System

21 event types with HMAC-SHA256 signing, exponential backoff retries (5 attempts), and full delivery tracking.

Rate Limiting

5 requests per 60 seconds on authentication endpoints. Distributed in-memory caching with configurable limits per endpoint.

Security Headers

HSTS with preload, Content Security Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy out of the box.

CQRS Architecture

Command/Query separation with MediatR. Clean handler-based architecture for all operations with pipeline behaviors.

Role-Based Access Control

User-role associations with admin dashboard. Protected routes and role-checking middleware for secure authorization.

Background Services

Automatic refresh token cleanup (daily, 1-day retention) and asynchronous webhook delivery with retry logic.

Health Checks

Kubernetes-ready endpoints (/health, /health/ready, /healthz) for liveness and readiness probes.

Full Test Suite

80 test files with xUnit, Moq, FluentAssertions, and WireMock.Net. Unit, integration, and domain tests.

Authentication Flow

# Step 1: User Login

POST /api/v1.0/auth/login

{ "username": "user@example.com", "password": "..." }

# Step 2: Receive Tokens

Response: JWT access_token (60 min) + refresh_token (7 days)

# Step 3: Access Protected Resources

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

# Step 4: Token Refresh (when access token expires)

POST /api/v1.0/auth/refresh-token

{ "token": "current_refresh_token" }

Response: New JWT + New refresh_token (old token revoked)

# Security features:

Refresh tokens rotate on each use

IP address tracked for audit

Automatic cleanup of expired tokens

Domain Model

User

Extends IdentityUser with FirstName, LastName, CustomerId, and audit fields

Customer

Organization/tenant with users, addresses, phone numbers, and password policies

Role

Extends IdentityRole with user associations and permission-based access

Webhook Event System

Subscriptions

  • Subscribe to specific event types or "*" for all
  • HMAC-SHA256 signed payloads for verification
  • Optional customer scoping for multi-tenant

Delivery

  • Background service for async delivery
  • 5 retry attempts with exponential backoff
  • Full delivery attempt tracking and audit