ADR-0008: OpenIddict for identity and OAuth2/OIDC¶
- Status: Accepted
- Date: 2026-01-01
- Deciders: Security Architect, Identity Lead
- Tags: identity, security, auth
Context¶
The platform needs standards-based authentication and token issuance that supports multi-tenancy (tenantId claim), RBAC/ABAC, and service-to-service identities, and that can be embedded in generated products (see Security Architecture). The factory ships an AuthorizationServerTemplate and IdentityTemplate.
Decision¶
Use OpenIddict as the OAuth2/OpenID Connect authorization server. JWTs carry tenantId, subject, roles, and scopes. Coarse RBAC is enforced at the gateway; fine-grained ABAC decisions go through the Governance PolicyEngineService. Generated products inherit this via the identity/authorization-server templates.
Decision drivers and consequences¶
Positive¶
- Standards-based, .NET-native auth embeddable in factory and generated products.
- Consistent token/claim model enabling tenant isolation and service identities.
Negative / trade-offs¶
- Operating an authorization server (key management, rotation) is the platform's responsibility.
Neutral¶
- External IdPs can federate into OpenIddict where required.
Alternatives considered¶
| Alternative | Why not chosen |
|---|---|
| Managed IdP only (e.g. Entra ID) | Less control for embedding in generated multi-tenant products; federation still supported. |
| Duende IdentityServer | Licensing/cost considerations; OpenIddict meets needs. |