Skip to main content

IDP Deep Dive

This section documents the Identity Provider (IDP) that issues JWT access tokens and supports login, refresh, MFA, OAuth, and password reset. It integrates with Access Control for persistence and authorization.

Overview

The IDP handles:

  • Authentication: Email/password, OAuth (Google/Facebook), passkeys/WebAuthn
  • Token Management: JWT access tokens, refresh tokens, session management
  • MFA: TOTP-based multi-factor authentication
  • Account Lifecycle: Registration, password reset, account deletion/restore

Architecture

IDP Architecture

Contents

Core Documentation

  • Endpoints — API endpoints for auth operations
  • Configuration — Environment variables and settings
  • Tokens & Sessions — Login response, refresh, logout
  • MFA — Multi-factor authentication
  • OTP — One-time passcode policies
  • OAuth — Google & Facebook integration
  • SAML — Enterprise SSO configuration and metadata flow

Security & Operations

Passkeys (WebAuthn/FIDO2)

Enterprise SSO (SAML)

Environment Variables

VariableRequiredDefaultDescription
JWT_SECRETYes-Secret for signing JWTs
JWT_ACCESS_EXPIRYNo15mAccess token expiry
JWT_REFRESH_EXPIRYNo7dRefresh token expiry
WEBAUTHN_RP_IDNolocalhostWebAuthn relying party ID
WEBAUTHN_RP_NAMENoDigiWedgeWebAuthn relying party name
WEBAUTHN_ORIGINNohttp://localhost:3000,http://localhost:4200Allowed origins (CSV)
IDP_PASSKEYS_ENABLEDNo1Enable passkey endpoints (set 0 to disable)
WEBAUTHN_ATTESTATION_TYPENononeAttestation type
WEBAUTHN_USER_VERIFICATIONNopreferredUser verification requirement
ENABLE_SAML_METADATA_REFRESHNo0Enable scheduled SAML metadata refresh job

Source Modules

  • App: apps/idp
  • K8s: kubernetes/idp/backend/*
  • Access Control data: libs/prisma/access-control-client