- product-portfolio
- ecosystem-catalog
- deep-dives
- core
Identity, Auth, Access & Security - Analysis¶
Planning-layer analysis for category 2. It groups the 50 candidate services into capabilities, recommends what becomes a standalone service versus a module, and captures domain, interface, and non-functional notes. For the plain item list see the browse page.
Scope & Bounded Context¶
- Primary bounded context: Identity & Access
- Group: core
- Default wave / cycle: Phase 1 · Core Platform Wave
- Items: 50 candidates
This category is anchored to the ConnectSoft DDD baseline in the SaaS framework DDD blueprint and the service classification model.
Classification Breakdown¶
| Classification | Count |
|---|---|
| Microservice | 4 |
| Module-in-service | 46 |
Anti-fragmentation stance
Per ADR-0011, the 46 module candidates below are delivered inside the Identity & Access bounded-context service, not as separate microservices. Only the 4 platform/service candidates justify an independent runtime.
Standalone Service / Platform Candidates¶
| ID | Service | Tier | Status |
|---|---|---|---|
| CS-SVC-0051 | Identity Server | 0 | Live |
| CS-SVC-0053 | OAuth2 Authorization Server | 0 | Live |
| CS-SVC-0080 | SCIM Provisioning Service | 0 | Planned |
| CS-SVC-0100 | Zero Trust Access Gateway | 0 | Planned |
Domain, Interfaces & Data Ownership¶
- Aggregates are owned by the Identity & Access context; cross-context reads go through published contracts, never shared databases.
- Integration is event-first (outbox + integration events) per the event-driven mindset.
- APIs are contract-first and versioned through the API & Integration context.
Non-Functional Posture¶
- Multi-tenancy & edition-awareness: required for all serious candidates.
- Security: High baseline; secrets via the platform secret store; least privilege.
- Compliance: standard audit logging.
- Observability: OpenTelemetry traces, metrics, and structured logs.
MVP vs Future¶
- MVP (Tier 0-1): Identity Server, OpenID Connect Provider, OAuth2 Authorization Server, User Account Service, User Profile Service, User Registration Service, Login Service, Password Management Service
- Future (Tier 4-5): none
Open Questions¶
- Which module candidates, if any, develop independent scaling or ownership needs that would justify promotion to a standalone service?
- Where do this category's contracts overlap with adjacent contexts, and who owns them?