RDNLabs
RDN Identity

Features

Enterprise-grade identity management with passkeys, passwordless OTP, multi-channel authentication, per-client configuration, password expiration policies, notification preferences, tenant lifecycle management, and comprehensive security patterns.

JWT Authentication

12 signing algorithms across HMAC, RSA (PKCS#1), RSA-PSS, and ECDSA families with 2048/4096-bit RSA support, JWKS endpoint, key rotation, and distributed validation.

Two-Factor Authentication

TOTP authenticator apps (Google/Microsoft Authenticator), SMS codes, WhatsApp codes, email-based codes, and one-time recovery codes with QR code setup wizard. OAuth-only users can set up and disable 2FA without password confirmation.

External OAuth Login

Sign in with Google, GitHub, Microsoft, Amazon, LinkedIn, and X. Auto-registration for new users, email-based account linking for existing users, 2FA enforcement for OAuth accounts, and automatic tenant-admin provisioning. Configurable per-provider enable/disable with graceful cancel handling.

OAuth 2.0 / OIDC Server

OAuth 2.0-compliant authorization server with authorization code flow, PKCE (S256), Device Authorization Grant, DPoP proof-of-possession token binding, user consent, custom claims and scopes, token introspection, token revocation, OpenID Connect Discovery, session management (sid, auth_time, max_age), and back-channel logout. Implicit and ROPC grants rejected by design.

Email-Verified Registration

Three-step signup: enter details, verify email with 6-digit OTP, set password. Stateless JWT tokens carry state between steps — no server-side sessions.

Magic Links & QR Code Login

Passwordless authentication via email links or QR code login (QR code emailed to user with inline image and clickable fallback link). Authenticated QR code generation for adding devices. Hashed one-time tokens with configurable expiry.

Password Reset

Password recovery via email or SMS. The SMS flow sends a 6-digit code to a verified phone number, enabling recovery without email access. Prevents user enumeration by always returning success.

Rotating Refresh Tokens

Each refresh token can only be used once. New tokens issued on refresh with IP tracking for security audit trails. Replay detection with full token family revocation when a compromised token is reused.

Multi-Tenant Support

Tenant-based data isolation with user scoping. Users, addresses, phone numbers, and webhook subscriptions all scoped to their organization.

Webhook System

65 event types with HMAC-SHA256 signing, exponential backoff retries (5 attempts), and full delivery tracking.

Permission-Based Access Control

106 fine-grained permissions beyond simple roles. Dynamic authorization policies with permission caching and claims transformation across system and tenant scopes.

CQRS Architecture

Command/Query separation with MediatR. 120+ handlers with pipeline behaviors for logging, validation, and exception handling.

Passkey / WebAuthn (FIDO2)

Passwordless authentication using device biometrics, security keys, or platform authenticators. Register, manage, and authenticate with passkeys via Fido2.AspNet.

Multi-Channel Authentication

Cascading auth fallback (Passkey, SMS, WhatsApp, Email) with configurable channel priority. SMS via Azure Communication Services, WhatsApp via Twilio.

Phone Verification & SMS Consent

OTP-based phone verification with full messaging consent tracking. TCPA/GDPR compliant with OptIn and DoubleOptIn confirmation flows.

Tenant Lifecycle Management

Four-state tenant lifecycle (Pending, Active, Suspended, Disabled) with admin-controlled transitions. Email notifications on activation and suspension.

Account Approval

Dual-gate access control: tenant status + individual user approval. Self-registered users require admin approval. Admin-created accounts are pre-approved.

Security Headers & Rate Limiting

HSTS with preload, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, DPoP proof-of-possession token binding, and configurable fixed-window rate limiting on auth endpoints.

Passwordless OTP Login

Sign in with a one-time password sent via Email or SMS. No password required — enter a code and authenticate. Supports per-client toggle to enable or disable OTP login.

Per-Client Configuration

Each OAuth client configures allowed login methods (password, passkey, magic link, QR code, email OTP, SMS OTP, social providers), toggles registration and password reset, and customizes login page branding with logo URI and title.

Notification Preferences

Per-user opt-in notifications for login alerts and password changes via SMS and Email. Global master switch to disable all notifications. Every notification is logged to an audit trail with delivery status, IP, and user agent.

Password Expiration

Tenant-level configurable password expiration policy. All authentication flows detect expired passwords and redirect users to change their password before granting access. Expiration notifications sent automatically.

Account Recovery

Recover account access via verified phone number when email is unavailable. SMS-based identity verification issues a password reset token to regain access.

API Key Management

Create, list, and revoke API keys for partner integrations. Keys use hash-based storage with rdnk_ prefix and authenticate via X-API-Key header.

MCP Server & AI Agent Chat

Built-in 100-tool MCP server enables natural language administration via an AI agent chat interface powered by Claude. Per-conversation model selection with SSE streaming.

License System

28 licensable feature flags across 11 categories with 4 limit types. Heartbeat-based token renewal, middleware enforcement, and admin activation API.

Runtime Configuration

Database-backed configuration with 11 categories and 63 settings. Admin API with secret masking, precedence over appsettings, and license-gated features.

Signing Key Management

Database-stored signing keys supporting 12 algorithms across HMAC, RSA, RSA-PSS, and ECDSA families with 2048/4096-bit RSA. Key rotation and deletion via admin API with wizard UI and Azure Key Vault integration.

1,732 Tests

1,444 API tests + 196 domain tests + 92 platform tests across 195 test files with xUnit, Moq, FluentAssertions, and WireMock.Net. Full integration tests with in-memory database.

Authentication Flows

# Standard Login

POST /api/v1.0/auth/login

{ "username": "user@example.com", "password": "..." }

Response: JWT access_token (60m) + refresh_token (7d)

Refresh tokens rotate on each use

Replay detection with token family revocation

IP address tracked for audit

# Login with 2FA

POST /api/v1.0/auth/login

requiresTwoFactor: true

challenge_token issued (5 min TTL)

POST /api/v1.0/auth/2fa/verify

Verify with authenticator, SMS, WhatsApp, email, passkey, or recovery code

JWT + refresh_token issued on success

# Email-Verified Registration

Step 1:

POST /api/v1.0/auth/register/initiate

6-digit OTP sent via email

Step 2:

POST /api/v1.0/auth/register/verify

OTP verified, token upgraded

Step 3:

POST /api/v1.0/auth/register/complete

Password set, account created

# Magic Link & QR Code Login

POST /api/v1.0/auth/magic-link/request

Login link sent via email (15 min TTL)

POST /api/v1.0/auth/magic-link/qr-login

QR code emailed to user (token never exposed to caller)

POST /api/v1.0/auth/magic-link/qr-code

QR code PNG returned (authenticated, add another device)

POST /api/v1.0/auth/magic-link/verify

Token verified, JWT + refresh_token issued

One-time use, hashed in database

# External OAuth Login

GET /api/v1.0/auth/external/providers

Returns enabled providers (Google, GitHub, Microsoft, Amazon, LinkedIn, X)

POST /api/v1.0/auth/external/initiate

Redirect user to provider authorization URL

POST /api/v1.0/auth/external/callback

Exchange code for JWT tokens, auto-register if new

Account linked by email if user exists

2FA enforced if enabled on account

Auto tenant-admin provisioning

# OAuth 2.0 Authorization Code + PKCE

Step 1:

GET /oauth/authorize

client_id, scope, code_challenge (S256)

Step 2:

POST /oauth/authorize/consent

User consents, authorization code returned

Step 3:

POST /oauth/token

Exchange code + code_verifier for tokens

Returns access_token + id_token + refresh_token

# Device Authorization Grant (RFC 8628)

Step 1:

POST /oauth/device/authorize

Returns device_code, user_code, verification_uri

Step 2:

User visits verification URI and enters user_code

POST /oauth/device/approve

User approves or denies the request

Step 3:

POST /oauth/token

grant_type=urn:ietf:params:oauth:grant-type:device_code

Device polls until approved, receives tokens

For TVs, CLIs, and input-constrained devices

Expired device codes cleaned up automatically

# DPoP Proof-of-Possession (RFC 9449)

Token Request:

POST /oauth/token

DPoP: <signed JWT proof>

{ ath, htm: "POST", htu: "/oauth/token", jti, iat }

Server validates proof, binds token to client key

Resource Request:

Authorization: DPoP <access_token>

DPoP: <new proof for this request>

Server verifies proof matches token-bound key

Sender-constrained tokens prevent theft

Per-client or global enforcement via feature flag

Server nonce support with replay cache

# Multi-Channel Authentication

POST /api/v1.0/auth/multi-channel/initiate

Start session with cascade: Passkey, SMS, WhatsApp, Email

POST /api/v1.0/auth/multi-channel/verify

Verify OTP code sent via SMS or WhatsApp

CRUD /api/v1.0/auth/channels

Manage user auth channels with consent tracking

SMS via Azure Communication Services

WhatsApp via Twilio with webhook opt-out

# Passkey / WebAuthn (FIDO2)

Registration:

POST /api/v1.0/auth/passkey/register/begin

Server returns creation options

POST /api/v1.0/auth/passkey/register/complete

Attestation verified, credential stored

Authentication:

POST /api/v1.0/auth/passkey/authenticate/begin

Server returns assertion options

POST /api/v1.0/auth/passkey/authenticate/complete

Assertion verified, JWT issued

Device biometrics, security keys, platform authenticators

# Passwordless OTP Login

POST /api/v1.0/auth/otp/request

{ "identifier": "user@example.com", "channel": "email" }

6-digit OTP sent via Email or SMS

POST /api/v1.0/auth/otp/verify

{ "identifier": "user@example.com", "code": "123456" }

Code verified, JWT + refresh_token issued

No password required

Per-client toggle for email and SMS OTP

# SMS Password Reset

Step 1:

POST /api/v1.0/auth/forgot-password/sms

6-digit code sent via SMS to verified phone

Step 2:

POST /api/v1.0/auth/forgot-password/sms/verify

Code verified, reset token issued

Step 3:

POST /api/v1.0/auth/reset-password/sms

New password set via reset token

Reset without email access

# Account Recovery

Step 1:

POST /api/v1.0/auth/account-recovery/request

Enter phone number, OTP sent via SMS

Step 2:

POST /api/v1.0/auth/account-recovery/verify

Code verified, reset token + masked email returned

Step 3:

Set new password via SMS reset endpoint

Recover access when email is lost

Identity verified via phone number

# SSO & Session Management

Login (client app redirects to RdnId):

GET /oauth/authorize

client_id, scope=openid, code_challenge, max_age

User authenticates (or skips if session is fresh)

POST /oauth/token

Exchange code for access_token + id_token

{ sub, sid, auth_time, name, email, ... }

Logout (back-channel):

GET /oauth/end-session

RdnId signs out, sends logout_token to all clients

POST client_logout_uri { logout_token: { sub, sid, events } }

sid claim links ID token to session

auth_time tracks when user authenticated

max_age forces re-auth if session is stale

Back-channel logout notifies all clients

Domain Model

User

Identity, 2FA, audit fields

Tenant

Organization, lifecycle, password policy

Role

System and tenant-scoped permissions

TenantClaim

Custom claims per tenant

PasskeyCredential

WebAuthn credentials, attestation

ExternalIdentity

Linked OAuth provider accounts

UserAuthChannel

SMS, WhatsApp, email channels

AuthSession

Multi-channel session tracking

VerificationCode

OTP codes with attempt tracking

RefreshToken

Rotation, replay detection, family

MagicLinkToken

Passwordless login tokens

MessagingConsent

TCPA/GDPR consent audit trail

OAuthClient

Client apps, secrets, branding

OAuthScope

Scope definitions with claim mappings

OAuthClaim

Custom claims for token enrichment

OAuthConsent

User consent grants per client

OAuthClientSession

SSO sessions with sid, auth_time

AuthorizationCode

Auth codes with PKCE verifier

DeviceCode

Device authorization grant tracking

NotificationPref

Per-user channel preferences

NotificationLog

Audited delivery tracking

ApiKey

Partner keys with hash storage

Webhook

Subscriptions, events, delivery

Address

Tenant addresses with type

EmailAddress

Tenant emails with type

PhoneNumber

Tenant phone numbers with type

SystemSettings

Global platform configuration

Webhook Event System

Subscriptions

  • Subscribe to specific event types or "*" for all
  • HMAC-SHA256 signed payloads for verification
  • Optional tenant scoping for multi-tenant
  • Test delivery endpoint for validation

Delivery

  • Background service for async delivery
  • 5 retry attempts with exponential backoff
  • Full delivery attempt tracking and audit
  • Configurable concurrency and batch size