Riptide Solutions

Overview

Riptide Identity is an enterprise-grade Identity and Access Management (IAM) system that provides centralized authentication, authorization, and user management capabilities. It enables organizations to securely manage users, roles, groups, and permissions across multiple applications with a capability-based access control model.

Purpose

Traditional identity management often involves:

1. Fragmented identity silos across different applications
2. Limited cross-application permission management
3. Repetitive implementation of authentication features
4. Complex integration with external identity providers
5. Challenging secrets management and key rotation

Riptide Identity solves these problems by:

1. Centralizing identity management across all registered applications
2. Implementing capability-based access control for fine-grained permissions
3. Providing a unified authentication experience with multi-factor options
4. Seamlessly integrating with external identity providers
5. Offering secure secrets management with key rotation capabilities

Key Capabilities

• Centralized Authentication: Single sign-on across all registered applications
• Passwordless Authentication: Email-based verification code authentication for enhanced user experience and security
• Multi-Factor Authentication: TOTP-based authenticator app support with recovery codes
• External Identity Providers: Integration with Microsoft, Google, GitHub, and Facebook
• Capability-Based Access Control: Fine-grained permissions beyond traditional RBAC
• Effective Dating: Time-based assignment of roles and permissions
• Secure Secrets Management: Encrypted storage of sensitive configuration values
• Comprehensive Audit Logging: Track all changes and security events
• Service Accounts: Secure machine-to-machine authentication with capability-based access control
• Token Introspection: Standards-compliant endpoint for validating and inspecting tokens (RFC 7662)
• Service Account Monitoring: Comprehensive tracking and analytics for service account usage

Identity Model

Riptide Identity implements a flexible identity model:

• Users: End users with authentication credentials and profile information
• Groups: Organizational units for grouping users (departments, teams, etc.)
• Roles: Collections of capabilities that can be assigned to users or groups
• Capabilities: Fine-grained permissions that define what actions can be performed
• Applications: Client applications that integrate with the Identity system
• Service Accounts: Non-human identities for machine-to-machine authentication
• Assignments: Connections between users, groups, roles with effective dating
• Audit Logs: Comprehensive tracking of all identity-related activities

Integration Points

• REST API: Programmatic access to identity services
• JWT Authentication: Secure token-based authentication for services
• Client Libraries: .NET libraries for easy integration
• Identity SDK: Simplifies application integration with the identity system
• Admin UI: Web-based interface for identity management
• OAuth/OIDC Endpoints: Standard protocol endpoints for authentication and authorization

Common Use Cases

• Single Sign-On: Unified authentication across multiple applications
• Passwordless User Experience: Frictionless authentication using only email verification for improved user onboarding and reduced password fatigue
• Authorization Control: Fine-grained access control based on user capabilities
• External Identity Integration: Allow users to sign in with their existing accounts (Microsoft, Google, and others)
• Multi-Factor Security: Enhanced security for sensitive operations
• Delegated Administration: Empowering specific users to manage others within their scope
• Secrets Management: Secure storage and retrieval of sensitive configuration
• Security Auditing: Tracking user activities and security-related events
• Machine-to-Machine Authentication: Secure service-to-service communication using service accounts
• Token Validation: Standards-based token introspection for verifying tokens at resource servers

Security Features

• Multi-Factor Authentication: TOTP-based authenticator app support
• Passwordless Security: SHA256-hashed verification codes with single-use enforcement, automatic expiration, and comprehensive rate limiting
• Encrypted Secrets: Two-tier encryption with master and data encryption keys
• Key Rotation: Support for rotating encryption keys without data loss
• Provider Flexibility: Store secrets in database or external vaults (Azure Key Vault, HashiCorp Vault)
• Rate Limiting: Protection against brute force attacks
• CORS Protection: Configurable Cross-Origin Resource Sharing
• Security Headers: HTTP security headers for enhanced protection
• JWT Security: Secure token configuration with proper expiration and validation
• Service Account Credentials: Cryptographically secure service account keys with automatic expiration
• Service Account Monitoring: Anomaly detection and alerting for suspicious activity
• Token Introspection: RFC 7662 compliant endpoint for validating and inspecting tokens
• Comprehensive Audit Trail: Detailed logging of all authentication and authorization events

Why Riptide Identity

• Security-First Design: Built with security best practices from the ground up
• Extensibility: Easily extensible for custom requirements
• Enterprise-Ready: Designed for high availability and scalability
• Developer-Friendly: Comprehensive documentation and simple integration
• Clean Architecture: Maintainable and testable codebase
• Cloud-Native: Designed for modern cloud deployments
• Standards Compliant: Implements OAuth 2.0 and OpenID Connect standards

Application Registration and Permission Management

Managing Identity Model Components

Applications in Riptide Identity use the capability-based access control model, which should be defined before application registration:

1. Capability Definition:

   • Create fine-grained capabilities specific to your application
   • Use hierarchical naming (e.g., app-name:resource:action)
   • Define capability descriptions and risk levels

2. Role-Based Access:

   • Create roles that bundle related capabilities
   • Define role hierarchies and relationships
   • Document role purposes and required approvals

3. Group Structure:

   • Design organizational group hierarchy
   • Define group membership rules
   • Set up automated group assignment where applicable

Registering Your Application

After defining your capability model, roles, and groups, register your application:

1. Create an Application Registration:

   • Provide basic information (name, description, redirect URIs)
   • Specify the application type (web, native, SPA, service)
   • Define the authentication flow (Authorization Code, Client Credentials, etc.)
   • Associate with previously defined capabilities and roles

2. Configure Access Scopes:

   • Define which user information your application needs
   • Link to the capabilities your application requires
   • Set default roles for new users of your application

3. Obtain Client Credentials:

   • Client ID: Public identifier for your application
   • Client Secret: Private key used to authenticate your application (for confidential clients)
   • Redirect URIs: Approved callback URLs for authentication flows

4. API Registration Example:

   curl -X POST https://identity.example.com/identity/api/apps/register \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer {admin_token}" \
     -d '{
       "name": "Inventory Management System",
       "description": "Enterprise inventory tracking application",
       "vendor": "Acme Industries",
       "productURL": "https://inventory.example.com",
       "host": "inventory.example.com",
       "department": "Operations",
       "productOwner": "jane.smith@example.com",
       "capabilities": [
         {
           "name": "inventory:items:read",
           "description": "Read access to inventory items"
         },
         {
           "name": "inventory:items:write",
           "description": "Write access to inventory items"
         },
         {
           "name": "inventory:reports:view",
           "description": "View inventory reports"
         }
       ],
       "apiAccessKeys": [
         {
           "name": "api-key-1",
           "description": "Primary API access key"
         }
       ]
     }'
   

   Upcoming Features - The following enhancements to application registration are planned:

   # Future application registration with expanded OAuth/OIDC support
   curl -X POST https://identity.example.com/identity/api/apps/register \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer {admin_token}" \
     -d '{
       "name": "Inventory Management System",
       "description": "Enterprise inventory tracking application",
       "vendor": "Acme Industries",
       "productURL": "https://inventory.example.com",
       "host": "inventory.example.com",
       "department": "Operations",
       "productOwner": "jane.smith@example.com",
       
       /* New fields for OAuth/OIDC support */
       "applicationType": "web",
       "clientUri": "https://inventory.example.com",
       "logoUri": "https://inventory.example.com/logo.png",
       "redirectUris": [
         "https://inventory.example.com/callback",
         "https://inventory.example.com/silent-refresh"
       ],
       "allowedCorsOrigins": [
         "https://inventory.example.com"
       ],
       "allowedScopes": [
         "openid", "profile", "email", "inventory-api"
       ],
       "authenticationFlow": {
         "authorizationCode": true,
         "implicit": false,
         "clientCredentials": true,
         "deviceCode": false,
         "refreshToken": true
       },
       "tokenConfiguration": {
         "accessTokenLifetimeMinutes": 60,
         "refreshTokenLifetimeDays": 30,
         "idTokenLifetimeMinutes": 60
       },
       
       /* Existing capabilities and roles support */
       "capabilities": [
         {
           "name": "inventory:items:read",
           "description": "Read access to inventory items"
         },
         {
           "name": "inventory:items:write",
           "description": "Write access to inventory items"
         },
         {
           "name": "inventory:reports:view",
           "description": "View inventory reports"
         }
       ],
       "defaultRoles": [
         "inventory-basic-user"
       ],
       "apiAccessKeys": [
         {
           "name": "api-key-1",
           "description": "Primary API access key"
         }
       ]
     }'
   

Service Account Configuration

For machine-to-machine communication:

• Create service accounts for automated processes and API integrations
• Assign capabilities directly to service accounts (not through roles)
• Generate and manage secure credentials with defined expirations
• Implement regular credential rotation processes
• Monitor usage patterns and set up anomaly detection for security events
• Configure alerts for suspicious authentication attempts or excessive usage
• Use the token introspection endpoint to validate service account tokens

Implementation Workflow

1. Define your capability model based on your application's security requirements
2. Create roles and groups to organize access patterns
3. Register your application in the Riptide Identity Admin UI or via API
4. Integrate authentication using OpenID Connect or OAuth 2.0 protocols
5. Implement capability checks in your application code
6. Set up service accounts for background services and API integrations
7. Configure monitoring for service accounts to detect anomalies and track usage

Security Considerations

• Regularly rotate client secrets and service account credentials
• Use the least privilege principle when requesting capabilities
• Implement proper token validation in your application
• Follow secure coding practices for authentication and authorization
• Regularly audit access patterns and permission assignments
• Utilize the token introspection endpoint to validate tokens at resource servers
• Monitor service account usage and set up alerts for suspicious activities