Security is a critical aspect of the Authority authentication system. Authority implements multiple layers of security to protect your users and applications.
graph TB
subgraph "Authentication Layer"
MFA[Multi-Factor Auth]
PWD[Password Policies]
LOCK[Account Lockout]
end
subgraph "Token Security"
JWT[JWT Signing]
ROT[Token Rotation]
REV[Token Revocation]
INT[Token Introspection]
end
subgraph "Session Security"
SESS[Session Management]
IDLE[Idle Timeout]
ABS[Absolute Timeout]
end
subgraph "Audit & Monitoring"
AUDIT[Audit Logging]
RATE[Rate Limiting]
IP[IP Allowlisting]
end
MFA --> JWT
PWD --> SESS
LOCK --> AUDIT
ROT --> REV
Authority supports TOTP-based two-factor authentication using apps like Google Authenticator, Authy, or 1Password.
sequenceDiagram
participant U as User
participant A as Authority
participant APP as Authenticator App
Note over U,A: Setup Phase
U->>A: Enable MFA
A->>A: Generate TOTP Secret
A->>U: Display QR Code
U->>APP: Scan QR Code
APP->>U: Show 6-digit code
U->>A: Enter verification code
A->>A: Validate TOTP
A->>U: MFA Enabled + Backup Codes
Note over U,A: Login Phase
U->>A: Login with credentials
A->>U: Request TOTP code
U->>APP: Get current code
U->>A: Enter TOTP code
A->>A: Validate TOTP
A->>U: Login successful
When MFA is enabled, Authority generates one-time backup codes that can be used if the user loses access to their authenticator app.
Protect against brute-force attacks with configurable account lockout:
| Setting | Default | Description |
|---|---|---|
LOCKOUT_THRESHOLD |
5 | Failed attempts before lockout |
LOCKOUT_DURATION |
30 | Minutes until auto-unlock |
ENABLE_AUTO_UNLOCK |
true | Automatically unlock after duration |
stateDiagram-v2
[*] --> Active
Active --> Warning: Failed Login (< threshold)
Warning --> Active: Successful Login
Warning --> Locked: Failed Login (>= threshold)
Locked --> Active: Auto-unlock / Admin unlock
Locked --> Locked: Login attempt (reset timer)
Enforce strong password requirements:
| Setting | Default | Description |
|---|---|---|
PASSWORD_MIN_LENGTH |
12 | Minimum password length |
PASSWORD_HISTORY_COUNT |
5 | Prevent reuse of recent passwords |
PASSWORD_EXPIRY_DAYS |
0 | Days until password expires (0 = never) |
REQUIRE_UPPERCASE |
true | Require uppercase letters |
REQUIRE_LOWERCASE |
true | Require lowercase letters |
REQUIRE_NUMBERS |
true | Require numeric digits |
REQUIRE_SPECIAL |
false | Require special characters |
Authority uses RS256 (RSA + SHA-256) for signing JWTs:
- Access Tokens: Short-lived (default: 1 hour)
- Refresh Tokens: Long-lived (default: 30 days)
- Authorization Codes: Very short-lived (default: 10 minutes)
Refresh token rotation is enabled by default. When a refresh token is used:
- A new access token is issued
- A new refresh token is issued
- The old refresh token is invalidated
This limits the damage if a refresh token is compromised.
Revoke tokens when:
- User logs out
- User changes password
- Admin revokes user session
- Suspicious activity detected
POST /token/revoke
Content-Type: application/x-www-form-urlencoded
token=REFRESH_TOKEN&token_type_hint=refresh_tokenValidate tokens server-side:
POST /token/introspect
Content-Type: application/x-www-form-urlencoded
token=ACCESS_TOKEN&token_type_hint=access_tokenResponse:
{
"active": true,
"client_id": "my-client",
"username": "user@example.com",
"scope": "read write",
"exp": 1699999999
}| Setting | Default | Description |
|---|---|---|
SESSION_DURATION_DAYS |
7 | Maximum session lifetime |
IDLE_TIMEOUT_MINUTES |
30 | Timeout after inactivity |
SINGLE_SESSION |
false | Allow only one active session |
Users can view and revoke their active sessions from the profile page. Each session tracks:
- Device information (browser, OS)
- IP address
- Last activity time
- Login time
All security-relevant actions are logged:
| Event | Description |
|---|---|
user.login |
Successful login |
user.login_failed |
Failed login attempt |
user.logout |
User logout |
user.created |
New user registration |
user.updated |
Profile update |
user.locked |
Account locked |
user.unlocked |
Account unlocked |
mfa.enabled |
MFA enabled |
mfa.disabled |
MFA disabled |
token.revoked |
Token revocation |
client.created |
OAuth client created |
client.updated |
OAuth client updated |
client.deleted |
OAuth client deleted |
Each log entry includes:
- Timestamp
- Actor (user or system)
- Action type
- Resource type and ID
- IP address
- User agent
- Changes made (for updates)
PKCE protects authorization code flow against interception attacks:
sequenceDiagram
participant C as Client
participant A as Authority
C->>C: Generate code_verifier (random)
C->>C: Create code_challenge = SHA256(code_verifier)
C->>A: /authorize + code_challenge
A->>C: Authorization code
C->>A: /token + code_verifier
A->>A: Verify SHA256(code_verifier) == code_challenge
A->>C: Access token
- Always use HTTPS - Never expose Authority over plain HTTP
- Use strong secrets - Generate cryptographically secure
SECRET_KEY_BASE - Limit token lifetimes - Use short-lived access tokens
- Enable MFA - Require MFA for admin accounts
- Monitor audit logs - Review logs regularly for suspicious activity
- Use confidential clients when possible (server-side apps)
- Always use PKCE for public clients (mobile, SPA)
- Validate redirect URIs - Register exact URIs, avoid wildcards
- Request minimal scopes - Only request what you need
- Never expose tokens in URLs or logs
- Store securely - Use secure storage (Keychain, encrypted storage)
- Validate tokens server-side when in doubt
- Handle revocation - Clear tokens on logout