Every capability you need for enterprise-grade CIAM — in a single, self-hosted Spring Boot service.
Built on Spring Authorization Server — the officially maintained OAuth2/OIDC implementation for the JVM. Fully compliant with the latest RFCs.
curl -X POST https://acme.auth.platform.com/oauth2/token \ -d grant_type=authorization_code \ -d code=SplxlOBeZQQYbYS6WxSbIA \ -d code_verifier=dBjftJeZ4CVP... \ -d redirect_uri=https://app.example.com/cb \ -u client_id:client_secret # Response { "access_token": "eyJhbGciOiJSUzI1...", "token_type": "Bearer", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1..." }
Per-tenant MFA policy — transparent to the OAuth2 client application.
RFC 6238. Works with Google Authenticator, Authy, 1Password. ±1 step tolerance. Pure Java HmacSHA1.
FIDO2 / WebAuthn. Biometric & hardware key support. Phishing-resistant by design.
Time-limited codes via configurable notification provider. HMAC-SHA256 signed OTPs.
Pluggable SMS provider. 6-digit codes with 10-minute expiry and replay protection.
Each tenant has its own users, applications, OAuth2 clients, signing keys, MFA policy, and org hierarchy. PostgreSQL Row-Level Security enforces isolation at the DB layer.
acme.auth.platform.comX-Tenant-ID{
"iss": "https://auth.platform.com/acme",
"sub": "user_01HX...",
"tenant_id": "acme",
"org_id": "org_engineering",
"app_id": "app_dashboard",
"roles": ["admin", "developer"],
"permissions": [
"users:read",
"users:write"
],
"email": "alice@acme.com",
"given_name": "Alice",
"family_name": "Smith"
}
Act as SAML IdP or connect to Okta, Azure AD, Google Workspace via metadata import with JIT user provisioning.
Federate with any upstream OpenID Connect provider. Map external claims to local tenant roles automatically.
Automated user provisioning and deprovisioning from Azure AD, Okta, Google. Lifecycle events via Kafka.
Primary hashing algorithm. Legacy bcrypt support for migration with auto-upgrade on next login.
5 failed attempts / 15-min window. 30-min lockout. Redis-backed — survives restarts and horizontal scaling.
Checks against known breach databases using k-Anonymity. Rejects compromised credentials at registration and reset.
Configurable per-tenant banned-word lists block weak, company-specific, and contextual passwords.
Per-request risk scoring evaluates device fingerprint, IP reputation, geo-velocity, and behavioural signals.
PostgreSQL RLS enforces tenant isolation at the database level — a query without a tenant filter returns zero rows.
Hierarchical org units. Assign apps, roles, and permissions at org level. Supports enterprise B2B2C.
Users can belong to multiple orgs with different roles in each. Full membership APIs.
Per-tenant email and SMS providers. Bring your own SMTP, Mailgun, Twilio, or SendGrid.
Project Loom — tens of thousands of concurrent auth requests on commodity hardware.
Idempotent JSON events for all auth lifecycle events. Zero-message-loss delivery.
Single Docker image, configurable via env vars. Helm chart for Kubernetes with HPA support.
| Feature | Community | Starter | Enterprise |
|---|---|---|---|
| Authentication | |||
| OAuth2 / OIDC (all flows) | ✓ | ✓ | ✓ |
| PKCE & refresh token rotation | ✓ | ✓ | ✓ |
| MFA | |||
| TOTP (RFC 6238) | ✓ | ✓ | ✓ |
| Email & SMS OTP | – | ✓ | ✓ |
| WebAuthn Passkeys | – | ✓ | ✓ |
| Multi-Tenancy | |||
| Number of tenants | Up to 3 | Up to 25 | Unlimited |
| Per-tenant JWT signing keys | ✓ | ✓ | ✓ |
| PostgreSQL RLS isolation | ✓ | ✓ | ✓ |
| Federation | |||
| SAML 2.0 (IdP + SP) | – | ✓ | ✓ |
| OIDC Federation | – | ✓ | ✓ |
| SCIM 2.0 Provisioning | – | – | ✓ |
| Security | |||
| Argon2id + bcrypt migration | ✓ | ✓ | ✓ |
| Rate limiting + lockout | ✓ | ✓ | ✓ |
| Breached password detection | – | ✓ | ✓ |
| Risk evaluation | – | – | ✓ |
Everything you need to ship secure identity — with full source code, no vendor lock-in.