# IAM Service Architecture > **Enterprise-Grade Identity & Access Management Platform** > > This document describes the complete architecture of the IAM Service, including system components, data flows, security model, and integration patterns. ## Table of Contents - [Overview](#overview) - [Overall Architecture](#overall-architecture) - [Authentication Flows](#authentication-flows) - [Authorization Model](#authorization-model) - [Caching Strategy](#caching-strategy) - [Module Dependencies](#module-dependencies) - [Data Architecture](#data-architecture) - [Security Architecture](#security-architecture) - [Observability](#observability) - [Deployment Architecture](#deployment-architecture) --- ## Overview The IAM Service is a comprehensive Identity and Access Management platform providing: ### Core Capabilities | Capability | Description | Modules | |------------|-------------|---------| | **Authentication** | User identity verification | Auth, Social, OIDC, MFA | | **Authorization** | Access control and permissions | RBAC, ABAC, Policy Engine | | **Identity Management** | User lifecycle and profiles | Users, Profiles, Organizations, Groups | | **Access Governance** | Request workflows and reviews | Requests, Reviews, Analytics | | **Compliance** | Regulatory compliance reporting | GDPR, SOC2, ISO27001, Risk Management | | **Security** | Zero-trust and threat protection | Zero-Trust, Audit, Encryption | | **Performance** | High-speed access with caching | Multi-layer Cache, Connection Pool | ### Key Metrics - **50+ API Endpoints** across 10 feature modules - **30+ Database Models** with comprehensive relationships - **7 Authentication Methods** (password, social x3, OIDC, MFA x2) - **Multi-layer Caching** (Memory → Redis → PostgreSQL) - **Zero-Trust Security** with device fingerprinting - **Enterprise Compliance** (GDPR, SOC2, ISO27001, HIPAA) --- ## Overall Architecture The IAM Service follows a layered architecture pattern with clear separation of concerns: ```mermaid graph TB subgraph "Client Layer" WebApp[Web Application
React/Vue/Angular] MobileApp[Mobile App
iOS/Android/React Native] Service[Other Microservices
Product/Order/Payment] end subgraph "API Gateway" Traefik[Traefik Gateway
Load Balancer + Routing
Port 80/443] end subgraph "IAM Service - Port 3001" subgraph "Middleware Stack" Correlation[Correlation ID
Request Tracking] Logger[Request Logger
Winston] ZeroTrust[Zero-Trust Validator
Device + Location + Behavior] RateLimit[Dynamic Rate Limiter
Redis-backed
50-1000 req/15min] Auth[Authentication
JWT Verification] RBAC[Authorization
RBAC + ABAC] end subgraph "Core Authentication Modules" AuthModule[Auth Module
Login/Register/Logout] TokenModule[Token Module
JWT + Cookie Management] SessionModule[Session Module
Device Fingerprinting] SocialModule[Social Auth
Google/FB/GitHub] OIDCModule[OIDC Provider
OpenID Connect] MFAModule[MFA Module
TOTP/WebAuthn] RBACModule[RBAC Module
Roles + Permissions] end subgraph "Identity Management Modules" UserModule[User Lifecycle
CRUD + Bulk Ops] ProfileModule[Profile Management
Avatar + Custom Fields] VerificationModule[Identity Verification
Email/Phone/Document] OrgModule[Organizations
Multi-tenant Hierarchy] GroupModule[Groups
Group-based Access] end subgraph "Access Management Modules" RequestModule[Access Requests
Approval Workflows] ReviewModule[Access Reviews
Certification Campaigns] AnalyticsModule[Access Analytics
Usage + Risk Analysis] end subgraph "Governance Modules" ComplianceModule[Compliance
GDPR/SOC2/ISO27001] PolicyModule[Policy Governance
Templates + Versioning] RiskModule[Risk Management
Scoring + Detection] ReportingModule[Reporting
Dashboards + Exports] end subgraph "Core Services" CacheService[Multi-layer Cache
Memory → Redis
TTL: 60s-15min] AuditService[Audit Logging
Event Sourcing
AuthEvent Model] SecurityService[Security Services
Encryption + Hashing] end end subgraph "Data Layer" PostgreSQL[(PostgreSQL 14+
Primary Database
Connection Pool
30+ Models)] Redis[(Redis 6+
Cache + Sessions
Rate Limits + Locks)] end subgraph "External Services (Future)" EmailService[Email Service
Verification + Notifications] SMSService[SMS Service
OTP + Phone Verification] FileStorage[File Storage
S3/GCS for Avatars] end subgraph "Observability Stack" Prometheus[Prometheus
Metrics Collection] Jaeger[Jaeger
Distributed Tracing] Logs[Structured Logs
Winston + Loki] end %% Client to Gateway WebApp --> Traefik MobileApp --> Traefik Service --> Traefik %% Gateway to Middleware Traefik --> Correlation Correlation --> Logger Logger --> ZeroTrust ZeroTrust --> RateLimit RateLimit --> Auth Auth --> RBAC %% Middleware to Modules RBAC --> AuthModule RBAC --> UserModule RBAC --> RequestModule RBAC --> ComplianceModule %% Module Dependencies AuthModule --> TokenModule AuthModule --> SessionModule AuthModule --> SocialModule AuthModule --> OIDCModule AuthModule --> MFAModule AuthModule --> RBACModule UserModule --> ProfileModule UserModule --> VerificationModule UserModule --> OrgModule UserModule --> GroupModule RequestModule --> ReviewModule RequestModule --> AnalyticsModule ComplianceModule --> PolicyModule ComplianceModule --> RiskModule ComplianceModule --> ReportingModule %% Core Services AuthModule --> CacheService UserModule --> CacheService RBACModule --> CacheService AuthModule --> AuditService RequestModule --> AuditService ComplianceModule --> AuditService AuthModule --> SecurityService %% Data Layer CacheService --> Redis CacheService --> PostgreSQL AuthModule --> PostgreSQL UserModule --> PostgreSQL RequestModule --> PostgreSQL ComplianceModule --> PostgreSQL %% External Services (dashed - not yet integrated) VerificationModule -.-> EmailService VerificationModule -.-> SMSService ProfileModule -.-> FileStorage %% Observability AuthModule -.-> Prometheus UserModule -.-> Prometheus RequestModule -.-> Prometheus ComplianceModule -.-> Prometheus CacheService -.-> Jaeger AuditService -.-> Logs style ZeroTrust fill:#ff9999 style CacheService fill:#99ccff style PostgreSQL fill:#cc99ff style Redis fill:#ffcc99 style AuditService fill:#99ff99 ``` ### Architecture Highlights 1. **Layered Middleware**: Every request passes through 6 middleware layers (correlation, logging, zero-trust, rate limiting, authentication, authorization) 2. **Modular Design**: 10 independent feature modules with clear boundaries 3. **Multi-layer Caching**: Memory (60s) → Redis (5-15min) → PostgreSQL for optimal performance 4. **Event Sourcing**: All authentication and authorization events logged for audit compliance 5. **Zero-Trust Security**: Continuous validation of device, location, and behavior 6. **Dynamic Rate Limiting**: Role-based limits (50-1000 req/15min) --- ## Authentication Flows ### Password-Based Authentication Standard email/password authentication with bcrypt hashing and JWT token generation: ```mermaid sequenceDiagram participant Client participant Middleware participant AuthService participant RBACService participant Database participant Redis participant AuditService Client->>Middleware: POST /api/v1/auth/login
{email, password} Middleware->>Middleware: 1. Correlation ID Middleware->>Middleware: 2. Zero-Trust Validation
(Device + IP + Behavior) Middleware->>Middleware: 3. Rate Limit Check
(5 login/15min) Middleware->>AuthService: login(email, password) AuthService->>Database: Find user by email Database-->>AuthService: User record AuthService->>AuthService: Verify password
(bcrypt compare, cost=12) alt Password Invalid AuthService->>AuditService: Log LOGIN_FAILED event AuditService->>Database: Save AuthEvent AuthService-->>Client: 401 Unauthorized
"Invalid credentials" else Password Valid & MFA Disabled AuthService->>RBACService: Get user roles + permissions RBACService->>Database: Query UserRole, UserPermission Database-->>RBACService: Roles + Permissions RBACService-->>AuthService: ["ADMIN"], ["users:read:all"] AuthService->>AuthService: Generate JWT tokens
Access: 15min
Refresh: 7 days AuthService->>Database: Save refresh token AuthService->>Redis: Cache user data
TTL: 15min AuthService->>Redis: Cache permissions
TTL: 5min AuthService->>Database: Create session
(device fingerprint) AuthService->>Database: Update lastLoginAt, loginCount AuthService->>AuditService: Log LOGIN_SUCCESS event AuthService-->>Client: 200 OK
{user, tokens}
Set-Cookie: refresh_token else Password Valid & MFA Enabled AuthService-->>Client: 200 OK
{mfaRequired: true} Note over Client: Prompt for MFA code Client->>Middleware: POST /api/v1/mfa/verify
{token: "123456"} Note over Middleware,AuthService: MFA verification flow... end ``` **Key Security Features:** - Bcrypt password hashing (cost factor 12 in production) - Token family tracking for rotation security - Device fingerprinting for session management - Zero-trust validation before authentication - Comprehensive audit logging ### Social Authentication Flow OAuth 2.0 integration with Google, Facebook, and GitHub: ```mermaid sequenceDiagram participant Client participant IAM participant Google as Google OAuth participant Database participant Redis Client->>IAM: GET /api/v1/auth/social/google IAM->>IAM: Generate state token
(CSRF protection) IAM->>Redis: Store state token
TTL: 10min IAM-->>Client: 302 Redirect to Google
with state param Client->>Google: OAuth consent screen Google-->>Client: Authorization code + state Client->>IAM: GET /api/v1/auth/social/google/callback
?code=xxx&state=yyy IAM->>Redis: Verify state token alt State Invalid IAM-->>Client: 401 CSRF token invalid else State Valid IAM->>Google: Exchange code for tokens Google-->>IAM: Access token + User profile IAM->>Database: Find or create user
by provider + providerId alt User Found IAM->>Database: Update social account tokens else New User IAM->>Database: Create user + social account IAM->>Database: Assign default role (USER) end IAM->>IAM: Generate IAM JWT tokens IAM->>Redis: Cache user + permissions IAM->>Database: Create session IAM-->>Client: 302 Redirect to app
with tokens in URL/cookie end ``` **Supported Providers:** - Google OAuth 2.0 - Facebook OAuth - GitHub OAuth - Apple Sign-In (future) - Microsoft OAuth (future) ### MFA (Multi-Factor Authentication) Flow TOTP-based two-factor authentication using authenticator apps: ```mermaid sequenceDiagram participant Client participant IAM participant Authenticator as Authenticator App participant Database Note over Client,Database: MFA Enrollment Phase Client->>IAM: POST /api/v1/mfa/totp/enable Note over Client: User must be authenticated IAM->>IAM: Generate TOTP secret (32 chars) IAM->>IAM: Generate QR code
(otpauth://totp/...) IAM-->>Client: {secret, qrCode, backupCodes} Client->>Authenticator: Scan QR code Authenticator-->>Client: Display 6-digit TOTP Client->>IAM: POST /api/v1/mfa/totp/verify
{token: "123456"} IAM->>IAM: Verify TOTP token
(30s window, ±1 interval) alt Token Valid IAM->>Database: Create MFADevice record
(type: TOTP, secret: encrypted) IAM->>Database: Update user.mfaEnabled = true IAM-->>Client: 200 OK MFA enabled else Token Invalid IAM-->>Client: 401 Invalid TOTP token end Note over Client,Database: MFA Login Phase Client->>IAM: POST /api/v1/auth/login
{email, password} IAM->>Database: Verify credentials alt MFA Required IAM-->>Client: 200 OK {mfaRequired: true} Client->>Authenticator: Get current TOTP Authenticator-->>Client: Current 6-digit code Client->>IAM: POST /api/v1/mfa/totp/validate
{userId, token} IAM->>Database: Get MFADevice for user IAM->>IAM: Verify TOTP token alt Token Valid IAM->>IAM: Generate full JWT tokens IAM->>Database: Create session IAM->>Database: Update device.lastUsedAt IAM-->>Client: 200 OK {user, tokens} else Token Invalid IAM-->>Client: 401 Invalid MFA token end end ``` **MFA Features:** - TOTP (Time-based One-Time Password) via authenticator apps - QR code generation for easy enrollment - Backup codes for account recovery - Multiple MFA devices per user - WebAuthn/FIDO2 framework (future implementation) --- ## Authorization Model The IAM Service implements a hybrid authorization model combining RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control): ### Authorization Decision Flow ```mermaid flowchart TD Start[Request to Protected Resource] --> Auth{Authenticated?} Auth -->|No| Deny401[401 Unauthorized
Authentication required] Auth -->|Yes| Cache{Permission
in Cache?} Cache -->|Hit| CacheValue{Cache
Value?} CacheValue -->|Allow| Allow[Access Granted] CacheValue -->|Deny| Deny403Cache[403 Forbidden
Cached denial] Cache -->|Miss| LoadPerms[Load Permissions
from Database] LoadPerms --> DirectPerms{Has Direct
User Permission?} DirectPerms -->|Explicit Deny| Deny403A[403 Forbidden
Explicit permission denial] DirectPerms -->|Explicit Allow| Allow DirectPerms -->|None| RolePerms{Has Role
Permission?} RolePerms -->|Yes| CheckExpiry{Role
Expired?} RolePerms -->|No| GroupPerms{Has Group
Permission?} CheckExpiry -->|Yes| GroupPerms CheckExpiry -->|No| Allow GroupPerms -->|Yes| Allow GroupPerms -->|No| ABACCheck{ABAC Policy
Exists?} ABACCheck -->|No Policies| DefaultDeny[403 Forbidden
Default deny - No permissions] ABACCheck -->|Has Policies| EvaluatePolicies[Evaluate Policies
by Priority] EvaluatePolicies --> EvalConditions{Policy
Conditions?} EvalConditions -->|Time-based| CheckTime{Current time
in range?} EvalConditions -->|Location-based| CheckLocation{IP in
allowed range?} EvalConditions -->|Attribute-based| CheckAttrs{Attributes
match?} CheckTime -->|Yes| PolicyEffect{Policy
Effect?} CheckTime -->|No| NextPolicy{More
Policies?} CheckLocation -->|Yes| PolicyEffect CheckLocation -->|No| NextPolicy CheckAttrs -->|Yes| PolicyEffect CheckAttrs -->|No| NextPolicy PolicyEffect -->|ALLOW| Allow PolicyEffect -->|DENY| Deny403Policy[403 Forbidden
Policy denial] NextPolicy -->|Yes| EvaluatePolicies NextPolicy -->|No| DefaultDeny Allow --> CacheResult[Cache Result
TTL: 5min] CacheResult --> AuditLog[Log Access Event
to AuthEvent] AuditLog --> Success[200 OK
Process request] style Auth fill:#e1f5fe style DirectPerms fill:#fff3e0 style RolePerms fill:#f3e5f5 style GroupPerms fill:#e8f5e9 style ABACCheck fill:#fce4ec style Allow fill:#c8e6c9 style Deny401 fill:#ffcdd2 style Deny403A fill:#ffcdd2 style Deny403Cache fill:#ffcdd2 style Deny403Policy fill:#ffcdd2 style DefaultDeny fill:#ffcdd2 ``` ### Permission Model The IAM Service uses a hierarchical permission model: **Permission Format**: `resource:action:scope` - **Resource**: The entity being accessed (e.g., `users`, `products`, `orders`) - **Action**: The operation being performed (e.g., `read`, `create`, `update`, `delete`) - **Scope**: The access boundary (e.g., `own`, `team`, `all`) **Examples**: - `users:read:all` - Read all users - `users:update:own` - Update own user profile - `products:create:team` - Create products for team - `orders:delete:all` - Delete any order (admin) ### Authorization Hierarchy ``` 1. Direct User Permissions (HIGHEST PRIORITY) ↓ (if not found or not denied) 2. Role Permissions ↓ (if not found) 3. Group Permissions ↓ (if not found) 4. ABAC Policies (evaluated by priority) ↓ (if no policies match) 5. Default Deny (LOWEST PRIORITY) ``` ### RBAC (Role-Based Access Control) ```mermaid graph LR User[User] --> UserRole1[UserRole] User --> UserRole2[UserRole] User --> UserPerm[UserPermission
Direct Override] UserRole1 --> Role1[ADMIN Role] UserRole2 --> Role2[MANAGER Role] Role1 --> RolePerm1[RolePermission] Role1 --> RolePerm2[RolePermission] Role2 --> RolePerm3[RolePermission] RolePerm1 --> Perm1[users:*:all] RolePerm2 --> Perm2[products:*:all] RolePerm3 --> Perm3[orders:read:team] UserPerm --> Perm4[analytics:read:all] Group[Group] --> GroupMember[GroupMember] GroupMember --> User Group --> GroupPerm[GroupPermission] GroupPerm --> Perm5[reports:read:all] style User fill:#e1f5fe style Role1 fill:#f3e5f5 style Role2 fill:#f3e5f5 style Group fill:#e8f5e9 style Perm1 fill:#fff3e0 style Perm2 fill:#fff3e0 style Perm3 fill:#fff3e0 style Perm4 fill:#ffccbc style Perm5 fill:#c8e6c9 ``` **Features:** - Multiple roles per user - Temporary role assignments with expiration - Direct user permissions (can override roles) - Group-based permissions - Permission caching (5 minutes TTL) ### ABAC (Attribute-Based Access Control) ```mermaid graph TD Request[Access Request] --> PolicyEngine[Policy Engine] PolicyEngine --> LoadPolicies[Load Policies
for Resource] LoadPolicies --> SortPolicies[Sort by Priority
Descending] SortPolicies --> EvaluatePolicy[Evaluate Policy
Conditions] EvaluatePolicy --> TimeCondition{Time-based
Condition?} EvaluatePolicy --> LocationCondition{Location-based
Condition?} EvaluatePolicy --> AttributeCondition{Attribute-based
Condition?} TimeCondition --> CheckTime[Check current time
vs allowed hours] LocationCondition --> CheckIP[Check IP address
vs allowed ranges] AttributeCondition --> CheckAttrs[Check user attributes
vs required values] CheckTime --> ConditionMet{All Conditions
Met?} CheckIP --> ConditionMet CheckAttrs --> ConditionMet ConditionMet -->|Yes| ApplyEffect{Policy
Effect?} ConditionMet -->|No| NextPolicy{More
Policies?} ApplyEffect -->|ALLOW| Allow[Access Granted] ApplyEffect -->|DENY| Deny[Access Denied] NextPolicy -->|Yes| EvaluatePolicy NextPolicy -->|No| DefaultDeny[Default Deny] style PolicyEngine fill:#f3e5f5 style ConditionMet fill:#fff3e0 style Allow fill:#c8e6c9 style Deny fill:#ffcdd2 style DefaultDeny fill:#ffcdd2 ``` **Policy Example (JSON Logic)**: ```json { "name": "Business Hours Only", "resource": "sensitive_data", "condition": { "and": [ { ">=": [{"var": "hour"}, 9] }, { "<=": [{"var": "hour"}, 17] }, { "in": [{"var": "day"}, [1, 2, 3, 4, 5]] } ] }, "effect": "ALLOW", "priority": 100 } ``` --- ## Caching Strategy The IAM Service implements a multi-layer caching strategy for optimal performance: ```mermaid graph TB Request[Incoming Request] --> CheckL1{L1 Cache
Node.js Memory} CheckL1 -->|Cache Hit| L1Hit[Fast Response
< 1ms latency] CheckL1 -->|Cache Miss| CheckL2{L2 Cache
Redis} CheckL2 -->|Cache Hit| L2Hit[Medium Response
< 10ms latency] CheckL2 -->|Cache Miss| Database[(PostgreSQL
Source of Truth)] Database --> UpdateL2[Update L2 Cache
Write to Redis] UpdateL2 --> UpdateL1[Update L1 Cache
Write to Memory] UpdateL1 --> Response[Return Response] L2Hit --> UpdateL1 L1Hit --> Response subgraph "Cache Layers" L1Cache[L1: In-Memory Cache
node-cache
TTL: 60 seconds
Hot data only] L2Cache[L2: Redis Cache
ioredis
TTL: 5-15 minutes
Distributed] DBLayer[L3: PostgreSQL
Prisma ORM
Source of truth
Persistent] end subgraph "Cached Data Types" UserData[User Data
TTL: 15min] Permissions[Permissions
TTL: 5min] Tokens[Token Validation
TTL: Token lifetime] Sessions[Sessions
TTL: Session lifetime] Roles[User Roles
TTL: 5min] end style L1Hit fill:#90EE90 style L2Hit fill:#87CEEB style Database fill:#FFB6C1 style L1Cache fill:#c8e6c9 style L2Cache fill:#bbdefb style DBLayer fill:#f8bbd0 ``` ### Cache Configuration | Data Type | L1 TTL | L2 TTL | Invalidation Strategy | |-----------|--------|--------|----------------------| | User Data | 60s | 15min | On update/delete | | Permissions | 60s | 5min | On role/permission change | | User Roles | 60s | 5min | On role assignment/revocation | | Token Validation | N/A | Token lifetime | On logout/revocation | | Sessions | N/A | Session lifetime | On logout | | Rate Limit Counters | N/A | 15min window | Time-based expiry | ### Cache Invalidation ```typescript // Example: Invalidate user caches when permissions change await rbacService.grantPermission(userId, permissionId); // Automatically invalidates: // - cacheService.keys.userPermissions(userId) // - cacheService.keys.userRoles(userId) ``` --- ## Module Dependencies The IAM Service is organized into 10 feature modules with clear dependencies: ```mermaid graph TD subgraph "Presentation Layer" Routes[Routes/Controllers
50+ Endpoints] end subgraph "Business Logic Layer" subgraph "Core Auth" AuthModule[Auth Module
Login/Register/Logout] TokenModule[Token Module
JWT + Cookies] SessionModule[Session Module
Device Tracking] end subgraph "Extended Auth" RBACModule[RBAC Module
Roles + Permissions] SocialModule[Social Auth
Google/FB/GitHub] OIDCModule[OIDC Module
Provider + Client] MFAModule[MFA Module
TOTP/WebAuthn] end subgraph "Identity" IdentityModule[Identity Module
Users + Profiles] OrgModule[Organization Module
Multi-tenancy] GroupModule[Group Module
Group Permissions] end subgraph "Access Governance" AccessModule[Access Module
Requests + Reviews] AnalyticsModule[Analytics Module
Usage Analysis] end subgraph "Compliance" GovernanceModule[Governance Module
Compliance + Risk] end end subgraph "Core Services Layer" CacheService[Cache Service
Multi-layer] AuditService[Audit Service
Event Sourcing] SecurityService[Security Service
Encryption] FeatureService[Feature Flags
Runtime Config] end subgraph "Data Access Layer" Repositories[Repositories
Data Access
Prisma ORM] end subgraph "Infrastructure" Database[(PostgreSQL
30+ Models)] Redis[(Redis
Cache + Locks)] end %% Routes to Modules Routes --> AuthModule Routes --> IdentityModule Routes --> AccessModule Routes --> GovernanceModule %% Core Auth Dependencies AuthModule --> TokenModule AuthModule --> SessionModule AuthModule --> SocialModule AuthModule --> OIDCModule AuthModule --> MFAModule AuthModule --> RBACModule %% Identity Dependencies IdentityModule --> OrgModule IdentityModule --> GroupModule IdentityModule --> RBACModule %% Access Dependencies AccessModule --> AnalyticsModule AccessModule --> RBACModule %% Governance Dependencies GovernanceModule --> RBACModule %% Core Services AuthModule --> CacheService IdentityModule --> CacheService RBACModule --> CacheService AuthModule --> AuditService AccessModule --> AuditService GovernanceModule --> AuditService AuthModule --> SecurityService AuthModule --> FeatureService %% Data Access AuthModule --> Repositories IdentityModule --> Repositories AccessModule --> Repositories GovernanceModule --> Repositories RBACModule --> Repositories Repositories --> Database CacheService --> Redis CacheService --> Database style AuthModule fill:#e1f5fe style RBACModule fill:#f3e5f5 style IdentityModule fill:#fff3e0 style AccessModule fill:#e8f5e9 style GovernanceModule fill:#fce4ec style CacheService fill:#bbdefb style AuditService fill:#c8e6c9 style SecurityService fill:#ffccbc ``` ### Module Descriptions | Module | Responsibility | Key Files | |--------|---------------|-----------| | **Auth** | User authentication and token management | `auth.service.ts`, `auth.controller.ts` | | **Token** | JWT generation, validation, and refresh | `jwt.service.ts`, `cookie.service.ts` | | **Session** | Session lifecycle and device management | `session.service.ts` | | **RBAC** | Role and permission management | `rbac.service.ts`, `rbac.middleware.ts` | | **Social** | OAuth integration with external providers | `social.service.ts`, `google.strategy.ts` | | **OIDC** | OpenID Connect provider and client | `oidc-provider.service.ts` | | **MFA** | Multi-factor authentication | `mfa.service.ts`, `totp.service.ts` | | **Identity** | User lifecycle and profile management | `user.service.ts`, `profile.service.ts` | | **Organization** | Multi-tenant organization support | `organization.service.ts` | | **Group** | Group-based access control | `group.service.ts` | | **Access** | Access request workflows and reviews | `request.service.ts`, `review.service.ts` | | **Analytics** | Access analytics and reporting | `analytics.service.ts` | | **Governance** | Compliance, policy, and risk management | `compliance.service.ts`, `risk.service.ts` | | **Cache** | Multi-layer caching (Memory + Redis) | `cache.service.ts` | | **Audit** | Event sourcing and audit logging | `audit.service.ts` | | **Security** | Encryption, hashing, zero-trust | `zero-trust.validator.ts` | --- ## Data Architecture The IAM Service uses PostgreSQL with 30+ Prisma models. See [DATA-MODEL.md](./concepts/DATA-MODEL.md) for complete Entity Relationship Diagram. ### Model Categories 1. **Core Authentication** (7 models): - User, Session, RefreshToken, AuthEvent, SocialAccount, MFADevice, Policy 2. **Authorization** (6 models): - Role, Permission, UserRole, RolePermission, UserPermission, GroupPermission 3. **Identity Management** (6 models): - Organization, Group, GroupMember, UserProfile, IdentityVerification 4. **Access Management** (4 models): - AccessRequest, AccessRequestApprover, AccessReview, AccessReviewItem 5. **Governance** (3 models): - ComplianceReport, PolicyTemplate, RiskScore ### Key Relationships ``` User (1) ─── (*) UserRole ─── (*) Role ─── (*) RolePermission ─── (*) Permission User (1) ─── (*) UserPermission ─── (*) Permission User (1) ─── (*) Session User (1) ─── (1) UserProfile User (1) ─── (*) AccessRequest Organization (1) ─── (*) User Organization (1) ─── (*) Group ─── (*) GroupMember ─── (*) User ``` --- ## Security Architecture The IAM Service implements defense-in-depth security with multiple layers: ### Security Layers ```mermaid graph TB Request[Incoming Request] --> Layer1[Layer 1: Network Security
Traefik Gateway + TLS] Layer1 --> Layer2[Layer 2: Zero-Trust Validation
Device + Location + Behavior] Layer2 --> Layer3[Layer 3: Rate Limiting
Dynamic by Role
50-1000 req/15min] Layer3 --> Layer4[Layer 4: Authentication
JWT Validation
Token Expiry: 15min] Layer4 --> Layer5[Layer 5: Authorization
RBAC + ABAC
Permission Checking] Layer5 --> Layer6[Layer 6: Input Validation
Zod Schemas
Sanitization] Layer6 --> Layer7[Layer 7: Audit Logging
Event Sourcing
All Actions Logged] Layer7 --> ProcessRequest[Process Request] style Layer1 fill:#ffccbc style Layer2 fill:#ff9999 style Layer3 fill:#ffb74d style Layer4 fill:#fff176 style Layer5 fill:#aed581 style Layer6 fill:#4dd0e1 style Layer7 fill:#9575cd style ProcessRequest fill:#c8e6c9 ``` ### Security Features | Feature | Implementation | Location | |---------|---------------|----------| | **Zero-Trust** | Device fingerprinting, location, behavior analysis | `zero-trust.validator.ts` | | **Password Hashing** | bcrypt (cost factor 12) | `auth.service.ts:43` | | **Token Security** | JWT with HS256, 15min expiry, token rotation | `jwt.service.ts` | | **CSRF Protection** | State tokens for OAuth, SameSite cookies | `cookie.service.ts` | | **Rate Limiting** | Redis-backed, dynamic by role | `rate-limit.middleware.ts` | | **Input Validation** | Zod schemas, sanitization | `validation.middleware.ts` | | **Audit Logging** | Event sourcing (AuthEvent model) | `audit.service.ts` | | **Session Security** | Device fingerprinting, IP tracking | `session.service.ts` | | **MFA** | TOTP with 30s window, backup codes | `mfa.service.ts` | ### Threat Mitigation | Threat | Mitigation | |--------|-----------| | **Brute Force** | Login rate limiting (5 attempts/15min), account lockout | | **Token Theft** | Short token lifetime (15min), token rotation, device binding | | **CSRF** | SameSite cookies, state tokens for OAuth | | **XSS** | Content Security Policy, HttpOnly cookies | | **SQL Injection** | Prisma ORM parameterized queries | | **Session Hijacking** | Device fingerprinting, IP validation | | **Privilege Escalation** | Strict permission checks, audit logging | | **Replay Attacks** | Token expiry, nonce for OAuth | --- ## Observability The IAM Service provides comprehensive observability with metrics, logs, and traces: ### Observability Stack ```mermaid graph TB subgraph "IAM Service" Application[Application Code] Application --> MetricsCollector[Metrics Collector
Prometheus Format] Application --> Logger[Structured Logger
Winston] Application --> Tracer[Distributed Tracer
Jaeger Client] end subgraph "Collection Layer" Prometheus[Prometheus
Metrics Storage] Loki[Loki
Log Aggregation] Jaeger[Jaeger
Trace Storage] end subgraph "Visualization Layer" Grafana[Grafana
Dashboards + Alerts] end MetricsCollector --> Prometheus Logger --> Loki Tracer --> Jaeger Prometheus --> Grafana Loki --> Grafana Jaeger --> Grafana Grafana --> Alerts[Alert Manager
Notifications] style Application fill:#e1f5fe style Prometheus fill:#f3e5f5 style Loki fill:#fff3e0 style Jaeger fill:#e8f5e9 style Grafana fill:#fce4ec ``` ### Metrics (Prometheus) **Collected Metrics:** - HTTP request duration (histogram) - HTTP request count (counter) - HTTP response status codes (counter) - Active sessions (gauge) - Cache hit/miss ratio (counter) - Database query duration (histogram) - Authentication success/failure rate (counter) - Permission check duration (histogram) **Endpoints:** - `/metrics` - Prometheus metrics endpoint - `/health/live` - Liveness probe - `/health/ready` - Readiness probe ### Logging (Winston) **Log Levels:** ERROR, WARN, INFO, DEBUG **Structured Log Format:** ```json { "level": "info", "message": "User logged in", "timestamp": "2024-01-01T00:00:00.000Z", "correlationId": "req-123-456", "userId": "user-789", "email": "user@example.com", "service": "iam-service" } ``` ### Tracing (Jaeger) **Trace Spans:** - HTTP request handling - Database queries - Cache operations - External API calls - Authentication flow - Authorization checks **Correlation IDs:** - Every request gets a unique correlation ID - Propagated across service calls - Included in all logs and traces --- ## Deployment Architecture The IAM Service can be deployed in multiple configurations: ### Local Development ```mermaid graph LR Developer[Developer
Localhost] --> LocalIAM[IAM Service
pnpm dev
Port 3001] LocalIAM --> LocalDB[(PostgreSQL
Docker
Port 5432)] LocalIAM --> LocalRedis[(Redis
Docker
Port 6379)] style LocalIAM fill:#e1f5fe style LocalDB fill:#f3e5f5 style LocalRedis fill:#fff3e0 ``` ### Docker Compose (Multi-Service) ```mermaid graph TB subgraph "Docker Compose Network" Traefik[Traefik Gateway
Port 80/443] Traefik --> IAMService[IAM Service
Port 3001] Traefik --> ProductService[Product Service
Port 3002] Traefik --> OrderService[Order Service
Port 3003] IAMService --> SharedDB[(PostgreSQL
Port 5432)] IAMService --> SharedRedis[(Redis
Port 6379)] ProductService --> SharedDB ProductService --> SharedRedis OrderService --> SharedDB OrderService --> SharedRedis end style Traefik fill:#ffecb3 style IAMService fill:#e1f5fe style SharedDB fill:#f3e5f5 style SharedRedis fill:#fff3e0 ``` ### Kubernetes (Production) ```mermaid graph TB subgraph "Ingress Layer" Ingress[Ingress Controller
NGINX/Traefik
TLS Termination] end subgraph "Application Layer" IAMPod1[IAM Pod 1
Replica 1] IAMPod2[IAM Pod 2
Replica 2] IAMPod3[IAM Pod 3
Replica 3] IAMService[IAM Service
ClusterIP] end subgraph "Data Layer" PostgreSQL[(PostgreSQL
StatefulSet
Persistent Volume)] Redis[(Redis
StatefulSet
Sentinel HA)] end subgraph "Observability" Prometheus[Prometheus
Metrics] Jaeger[Jaeger
Tracing] Loki[Loki
Logs] end Ingress --> IAMService IAMService --> IAMPod1 IAMService --> IAMPod2 IAMService --> IAMPod3 IAMPod1 --> PostgreSQL IAMPod1 --> Redis IAMPod2 --> PostgreSQL IAMPod2 --> Redis IAMPod3 --> PostgreSQL IAMPod3 --> Redis IAMPod1 -.-> Prometheus IAMPod1 -.-> Jaeger IAMPod1 -.-> Loki style Ingress fill:#ffecb3 style IAMPod1 fill:#e1f5fe style IAMPod2 fill:#e1f5fe style IAMPod3 fill:#e1f5fe style PostgreSQL fill:#f3e5f5 style Redis fill:#fff3e0 ``` ### Production Best Practices 1. **High Availability**: - Multiple IAM service replicas (3+) - PostgreSQL replication (primary + standby) - Redis Sentinel for failover 2. **Security**: - TLS/SSL for all connections - Network policies for pod-to-pod communication - Secrets management (HashiCorp Vault, AWS Secrets Manager) - Non-root containers 3. **Resource Limits**: ```yaml resources: requests: cpu: 500m memory: 512Mi limits: cpu: 2000m memory: 2Gi ``` 4. **Health Checks**: ```yaml livenessProbe: httpGet: path: /health/live port: 3001 initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /health/ready port: 3001 initialDelaySeconds: 10 periodSeconds: 5 ``` 5. **Horizontal Pod Autoscaling**: ```yaml minReplicas: 3 maxReplicas: 10 targetCPUUtilizationPercentage: 70 ``` --- ## Next Steps - **User Guides**: See [GETTING-STARTED.md](./guides/01-GETTING-STARTED.md) for setup instructions - **API Reference**: See [API_REFERENCE.md](./API_REFERENCE.md) for complete endpoint documentation - **Security Model**: See [SECURITY-MODEL.md](./concepts/SECURITY-MODEL.md) for security details - **Data Model**: See [DATA-MODEL.md](./concepts/DATA-MODEL.md) for database schema - **Deployment**: See [DEPLOYMENT-GUIDE.md](./deployment/DEPLOYMENT-GUIDE.md) for deployment instructions --- ## References - **Security Skill**: [.cursor/skills/security/SKILL.md](../../../.cursor/skills/security/SKILL.md) - **IAM Proposal**: [docs/en/architecture/iam-proposal.md](../../../docs/en/architecture/iam-proposal.md) - **Migration Guide**: [docs/en/guides/iam-migration.md](../../../docs/en/guides/iam-migration.md) - **Prisma Schema**: [prisma/schema.prisma](../prisma/schema.prisma) - **Routes Definition**: [src/routes/index.ts](../src/routes/index.ts) --- **Last Updated**: January 2026 **Version**: 1.0.0 **Status**: Production Ready