Security

Security at every layer

Idenplane implements defense-in-depth security — from password hashing with Argon2id to encrypted webhooks with AES-256-GCM. Every decision follows NIST and OWASP best practices.

Authentication Protocols

OAuth 2.0 + PKCE

RFC 7636 Proof Key for Code Exchange on all public clients

OpenID Connect 1.0

ID tokens, UserInfo, Discovery, Backchannel Logout

SAML 2.0

IdP and SP modes with signed assertions and encrypted attributes

Device Authorization

RFC 8628 for input-constrained devices (smart TVs, CLI tools)

Credential Security

Argon2id Hashing

NIST-recommended password hashing — resistant to GPU and ASIC attacks

Password Policies

Configurable complexity, history, expiration, and minimum length

WebAuthn / FIDO2

Passwordless with hardware keys and biometrics (Face ID, fingerprint)

TOTP + Recovery Codes

Time-based OTP with Google Authenticator, plus backup recovery codes

Token Security

RS256 JWT Signing

RSA-based signing with automatic key rotation via JWKS endpoint

JWE Token Encryption

Optional encryption for sensitive claims in access and ID tokens

Short-Lived Tokens

Configurable expiration with secure refresh token rotation

Token Revocation

Revoke individual tokens or all sessions for a user

Infrastructure Protection

Helmet.js Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and more

Rate Limiting

Global + per-realm + per-user + per-IP configurable throttling

CORS Validation

Dynamic CORS from database — only allowed origins can make requests

TLS / HTTPS

Full HTTPS enforcement in production with secure cookie flags

Access Control

Role-Based Access Control

Realm-level and client-level roles with group inheritance

Step-Up Authentication

Require stronger auth (ACR levels) for sensitive operations

Brute Force Protection

Automatic account lockout after N failed attempts (configurable)

Session Management

Max sessions per user, forced logout, and session timeouts

Compliance & Audit

Login Event Logging

Every login attempt logged with IP, user agent, geo, and outcome

Admin Action Audit Trail

Who changed what, when, with full diff for configuration changes

Impersonation Tracking

Admin impersonation logged with both admin and target user details

Webhook Encryption

AES-256-GCM encrypted secrets for webhook payload signing

Compliance

Built on open standards

Idenplane follows established security standards and specifications — no proprietary lock-in.

OWASP Top 10

Addresses all OWASP authentication and session management risks

NIST 800-63

Follows NIST Digital Identity Guidelines for authentication assurance

RFC 6749/6750

Full OAuth 2.0 specification compliance with bearer tokens

RFC 7636

PKCE mandatory for all public client flows

OpenID Connect Core

Certified OIDC flows with discovery and session management

OASIS SAML 2.0

Standard-compliant SAML assertions and metadata exchange

Defaults

The numbers we ship

These are the out-of-the-box defaults. Every value is configurable per realm or environment.

Password hashing — Argon2id

Algorithm
argon2id
Memory cost
64 MiB (65536 KiB)
Time cost (iterations)
3
Parallelism
4 lanes
Salt
16 random bytes

Above OWASP minimum (19 MiB / 2 iterations) on the memory axis. Tune per host.

JWT signing & rotation

Algorithm
RS256 (RSA 2048)
Access token TTL
5 min
Refresh token TTL
30 days, rotating
Key rotation
90 days, auto
JWKS overlap
24 h

Previous keys remain in /jwks.json for 24 h after rotation so in-flight tokens validate.

Rate limits (default per IP)

/auth/login
10 / min
/auth/register
5 / min
/oauth/token
60 / min
All other endpoints
300 / min
Lockout threshold
5 fails / 15 min

Per-realm overrides supported. Lockouts unlock automatically after the window.

Sessions & cookies

SSO session idle
30 min
SSO session max
10 h
Cookie flags
Secure; HttpOnly; SameSite=Lax
CSRF
double-submit token
HSTS
63072000; includeSubDomains

HSTS only sent when the request arrives over HTTPS. Cookie SameSite upgrades to None for cross-site SSO flows that need it.

Threat model

What we defend against

Honest scope: what's in the threat model, what isn't, and where the boundary sits.

In scope

  • Credential stuffing, brute-force, and password-spraying attacks.
  • OAuth/OIDC protocol misuse — open redirects, missing PKCE, mixed-up clients.
  • Session fixation, CSRF on auth flows, token theft via XSS in our own surfaces.
  • Privilege escalation across realms, organizations, and roles.
  • Webhook payload spoofing (HMAC-signed, AES-256-GCM encrypted secrets at rest).
  • SAML assertion replay, signature stripping, XML signature wrapping.

Out of scope (your responsibility)

  • Compromised host, container escape, or root-on-the-VM scenarios.
  • Network-level DoS — terminate at your CDN or LB.
  • Stolen admin credentials with MFA disabled.
  • Third-party identity-provider compromise (Google, GitHub, Azure AD, etc.).
  • Social engineering of your support / on-call team.
  • Custom plugin code you author — runs with full server privileges.

Responsible disclosure

Report it privately first — we'll credit you publicly after the fix ships.

  1. Email [email protected] or open a private advisory at github.com/idenplane/idenplane/security/advisories/new.
  2. Include a proof-of-concept, affected version, and impact assessment.
  3. We acknowledge within 72 hours and aim to ship a fix within 90 days.
  4. Coordinate disclosure timing with us — public CVE filed once a patched release is available.
  5. Do not test against systems you don't own or have written authorization for.
security.txt (RFC 9116) · Published advisories

Ready to secure your stack?

Deploy Idenplane locally in 30 seconds, then walk through the production checklist.

Quickstart Security configuration