Identity & Access
Responsibility
Section titled “Responsibility”Authentication (AuthN) and Authorization (AuthZ) for all service contexts via ACL. This shared domain provides a unified identity layer backed by Keycloak, serving workers, admins, and all backend services.
Key Entities
Section titled “Key Entities”- User Profiles (with system ID mappings for Angelis, Safer, Fit2000, CheckingMate)
- Internal User Profiles
- Roles and Permissions
- OTP (One-Time Passwords)
- Access Tokens and Refresh Tokens
Tech Stack
Section titled “Tech Stack”- Flask (Python) — CIAM service framework
- python-keycloak — Keycloak client library
- PostgreSQL — profile information, system ID mappings, role assignments, OTP records
- bcrypt — password hashing
- AES encryption — password transmission security
- PyJWT — token handling
Keycloak Integration:
- Separate realms/clients for workers and admins
- Token introspection and validation
- User creation and management in Keycloak
- Failed login attempt tracking
- Last login tracking
Integrations
Section titled “Integrations”All core domains communicate with Identity & Access via an ACL (Anti-Corruption Layer) pattern:
- Workforce Management → validates tokens, creates/manages profiles and internal users
- Productivity → validates tokens
- Safety & Compliance → validates tokens (Checkingmate Frontend, Admin, and Backend)
- Worker Monitoring → validates tokens
- Asset Management → validates tokens
- Billing & Subscription → validates tokens
The CIAM service exposes:
POST /validateToken— used by the Backend FastAPI to validate incoming JWT tokens on every request- Profile and internal user CRUD endpoints called by Workforce Management repositories
- OTP endpoints for password reset and MFA