Architecture patterns in Authentication
Patterns for OIDC, token flows and System User in Altinn Authentication.
Authentication combines identity protocol endpoints with System User workflows. Security-critical state is stored behind repository boundaries.
OIDC as a protocol state machine
Login, authorisation code, token, session and logout are separate steps with short-lived state.
Benefits: Standard steps and explicit validation points.
Drawbacks: Many dependent steps complicate troubleshooting; redirect or state errors can become vulnerabilities.
Code examples
Token issuance behind a service boundary
Controllers delegate token creation and signing to services and certificate providers.
Benefits: Cryptography and key handling are centralised.
Drawbacks: Incorrect lifetime, audience or key selection affects every consumer.
Code examples
Request and approval workflows
System User separates registered systems, requests, changes and completed system users.
Benefits: Approval is auditable and state is explicit.
Drawbacks: Transitions must resist invalid and repeated operations.
Code examples