Identity, peer planes for every standard.
Identity is its own canonical subsystem above the foundational Auth kernel. Eight entities — IdentitySubject, IdentityCredential, IdentityMembership, AuthSession, AuthChallenge, AuthRevocation, IdentityConnectorBinding, RefreshTokenFamily. Six services for sessions, refresh, challenges, passwords, federation flows, membership resolution. Every identity provider is a peer adapter through the IIdentityProviderFactoryRegistry — OIDC, SAML, OAuth2, Passkeys, Magic Link, Password, JWT, Custom, ServiceAccount, Anonymous.
The full identity graph. Vendor-neutral.
IdentitySubject
The canonical subject — user, service account, or other principal. Provenance-keyed for JIT provisioning so re-creation across federation flows resolves to the same subject.
IdentityCredential
Per-subject credential material — password hashes, passkey public keys, OIDC subject mappings. Bcrypt / Argon2id / PBKDF2 — the algorithm + parameters travel with the hash.
IdentityMembership
Subject ↔ scope membership. Drives ContextSets["AllowedProjects"] and the broader scope-chain authorization. Every project hierarchy walk reads from here.
AuthSession
Active session row. Coherent across instances via the canonical SecurityCoherentCache pattern (ICacheInvalidationBus + TTL fallback). Revocation propagates within one bus roundtrip.
AuthChallenge
MFA challenges, email-link verifications, OAuth state. IIdentityChallengeCapabilityResolver consulted by Discovery + ChallengeStart so the catalog stays consistent.
RefreshTokenFamily
Token-family rotation tracking. Reusing a rotated refresh token signals takeover — Vadyl invalidates the whole family. Built-in anomaly detection at the substrate.
AuthRevocation
Per-subject and per-session revocations. Propagates through the canonical security cache. Operators can revoke without database surgery.
IdentityConnectorBinding
Per-project provider bindings. OIDC issuer URLs, SAML metadata, OAuth client configs — secret-referenced through the key ring, branchable like everything else.
IIdentityProviderFactoryRegistry
Vendor-neutral factory. New provider kinds ship as built-in native, declarative bundle, or authored Wasm — peer to every other UCSA surface.
JIT, MFA, federation, password, session — canonical, never bolt-on.
SessionService
Create, refresh, revoke, list sessions. Driven by the canonical security cache — invalidations propagate within bus roundtrip latency.
RefreshTokenService
Family-tracked rotation. Fail-closed on suspected token replay. Sliding-window expiration. Audit through canonical observability.
ChallengeService
Multi-factor challenges. Email link, OTP, passkey assertion, OAuth callback. Capability-aware routing (some providers don't support some challenge kinds — the registry resolves).
PasswordService
Bcrypt / Argon2id / PBKDF2 hashing. Self-describing format. Timing-safe verification. Configurable cost parameters per binding.
FederationFlowService
OIDC / SAML / OAuth2 flows end-to-end. Stateful with AuthChallenge. JIT subject provisioning with provenance keying.
MembershipResolver
The canonical authority for subject ↔ scope resolution. Walks the project hierarchy. Drives ContextSets and authorization decisions.
All canonical, all branchable
Session · Refresh · Challenge · Password · Federation · Membership
Vendor-neutral factory
Built-in anomaly detection
Identity that scales with intent.
Bind a provider. Configure the flow. Vadyl handles JIT, MFA, refresh families, federation, session lifecycle. The kernel underneath is rock-solid.