Identity & Security
The VENI-AI platform implements a sophisticated Hybrid Identity Architecture combining multi-provider OIDC authentication with Casbin-powered Role-Based Access Control (RBAC).
1. Authentication (OIDC)
Shell API acts as the central Identity Hub. It supports local bcrypt authentication and external providers like Keycloak and Google.
RS256 & JWKS
All JWTs issued by the Shell are signed using an RSA-256 private key.
- Private Key:
APP_ENV_JWT_PRIVATE_KEY - Public JWKS: Exposed at
/api/.well-known/jwks.json
SATELLITE VERIFICATION
Satellite apps (Drive, HRM, etc.) do NOT share a secret with the Shell. They download the Shell's public keys via the JWKS endpoint to verify token integrity autonomously.
Auth Flow
2. Authorization (Casbin)
Authorization is managed via Casbin, a powerful access control library that supports multiple models.
Matcher Logic
We use a standard RBAC model with domain support: m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && keyMatch(r.act, p.act)
Hierarchy
- System Admin: Assigned the
system-adminrole globally (noorganizationId). Grants access across all tenants using the*wildcard. - Organization Admin: Assigned the
org-adminrole scoped to anorganizationId. Grants access to all resources within that tenant. - Member: Granular permissions (e.g.,
drive:files:read) within an organization.
3. Security Hardening
Token Blacklisting
When a user logs out, their JWT is hashed (SHA-256) and stored in Redis until its original expiration time. Every request check includes a CacheService.exists(blacklistKey) verification.
Policy Caching
Casbin policies are expensive to compute from the DB. The CasbinAdapter caches the compiled policy lines in Redis with a 5-minute TTL, automatically invalidated on any permission change.
Rate Limiting
Strict rate limits are applied to sensitive endpoints:
- Login/Register: 10 requests / minute.
- Token Refresh: 5 requests / minute.