Gatekeeper
Zero-trust identity and authorization for the Data Island platform. OAuth2/OIDC, enterprise provisioning, encrypted storage, and compliance-ready audit trails.
Key Capabilities
Nine capabilities that deliver enterprise-grade identity, authorization, and compliance for the Data Island platform.
OAuth2 / OIDC
Full OAuth2 authorization server with OIDC discovery, PKCE for public clients, authorization code flow, client credentials for services, and refresh token rotation.
Learn moreFederated Identity
Single sign-on via Google, Microsoft Entra ID, LinkedIn, GitHub, and Apple. Users authenticate with their existing corporate or social identity — no separate passwords.
Learn moreRS256 JWT with JWKS
RSA-signed JSON Web Tokens with automatic key rotation via JWKS endpoint. Multi-key support for zero-downtime rotation and JTI-based token revocation.
Learn moreSCIM 2.0 Provisioning
Automated user and group provisioning from Microsoft Entra ID (Azure AD). Group-to-role mapping, delta sync, and full lifecycle management.
Learn moreMFA / TOTP
Time-based one-time passwords (RFC 6238) with QR code enrollment, backup codes, per-user enforcement, and grace periods for initial setup.
Learn moreAccount Security
Configurable password policies with complexity, history, and expiry rules. Automatic lockout after failed attempts. Concurrent session limits with oldest-evicted policy.
Learn moreFernet Encryption at Rest
All sensitive data in Redis is encrypted with Fernet (AES-128-CBC + HMAC-SHA256). Key rotation without data migration. Passwords hashed with Argon2id.
Learn moreDual-Tier Audit
Every authentication, authorization, and administration event is logged to Redis Streams (real-time) and Parquet archives (long-term). SHA-256 hash chain integrity.
Learn moreWebhook Events
HMAC-signed event delivery for authentication, user lifecycle, and permission changes. Automatic retries with exponential backoff. Test delivery endpoint for integration validation.
Learn moreZero-Trust Service Mesh
Services do not implicitly trust each other. Every inter-service call is authenticated and authorized through explicit trust links.
How Trust Links Work
In the Data Island platform, each service (Core API, WebUI, OData, MCP) is registered as a client in Gatekeeper. Inter-service communication requires a trust link that explicitly defines which services can communicate and what permissions are granted.
- Explicit Registration: Each service must be registered as a Gatekeeper client with a unique client_id and client_secret.
- Trust Link Verification: On every request, the receiving service validates the JWT against Gatekeeper's JWKS endpoint, checks the client_id claim, and verifies the trust link exists.
- Scoped Permissions: Trust links carry scope restrictions. A service can only access the APIs and data it has been explicitly granted.
- No Implicit Trust: Network proximity is never sufficient. A service on the same Docker network still requires a valid JWT to communicate.
- Revocation: Deleting a trust link immediately blocks all communication between the two services. No token refresh can restore access.
Token Types
Gatekeeper issues four types of tokens, each designed for a specific authentication context.
Service Token
Machine-to-machine authentication via the OAuth2 client_credentials grant. Used by Core, OData, and MCP servers to authenticate with Gatekeeper and each other.
grant_type: client_credentials
User Token
Issued after successful user authentication (login + optional MFA). Carries the user's identity, roles, and permissions. Used by the WebUI and API clients.
grant_type: authorization_code
Delegated Token
A service acts on behalf of a user. Carries both the service identity and the user's permissions. Used when Core API processes a user's request through OData.
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
ID Token
OIDC-compliant identity token containing user profile claims (sub, name, email, groups). Used by frontend applications for user interface personalization.
scope: openid profile email
Architecture at a Glance
OAuth2/OIDC flows, JWT token engine with JWKS rotation, SCIM provisioning, MFA, and webhook events. Encrypted Redis state, Fernet at rest, Argon2id for passwords.
Auth Flows
Authorization code + PKCE for users, client_credentials for services, jwt-bearer for delegated identity, and OIDC discovery for federation.
Token Engine
RS256 JWTs signed with rotating RSA keys exposed via JWKS. JTI-based revocation, multi-key validation for zero-downtime rotation.
SCIM 2.0 Provisioning
Automated user + group provisioning from Microsoft Entra ID. Group-to-role mapping, delta sync, full lifecycle from create to suspend to delete.
MFA / TOTP
RFC 6238 time-based one-time passwords with QR enrollment, backup codes, per-user enforcement, and configurable grace periods.
Webhook Events
HMAC-signed delivery for auth, user lifecycle, and permission changes. Exponential-backoff retries and a test endpoint for integration validation.
Account Security
Configurable password policies, automatic lockout after failed attempts, concurrent-session limits with oldest-evicted policy.
Compliance & Encryption
SOC 2 and DORA-aligned controls, end-to-end encryption at rest, and a dual-tier audit pipeline with cryptographic integrity guarantees.
Fernet Encryption at Rest
Sensitive Redis fields encrypted with Fernet (AES-128-CBC + HMAC-SHA256). Key rotation without data migration. Passwords hashed with Argon2id.
Dual-Tier Audit
Real-time stream into Redis Streams plus long-term Parquet archive. SHA-256 hash chain across events — tampering breaks the chain at verify time.
SOC 2 & DORA Aligned
Controls mapped to SOC 2 Trust Services Criteria and DORA operational-resilience requirements. 7-year retention out of the box.