An identity engine you can watch work.

OpenID Connect layers identity on top of OAuth 2.0. The Tessera edge engine plays both OIDC roles. As a Relying Party it consumes Okta and Entra using the Authorization Code flow with PKCE: it generates a fresh code_verifier, sends the S256 challenge explicitly, and on the callback verifies state, exchanges the code, and validates the ID token against the provider’s registered signing key — checking iss, aud, exp, and the nonce it issued.

Because the engine consumes two authorization servers at once, it is the textbook mix-up scenario, so it implements the RFC 9207 iss response parameter: it confirms the response came from the AS it actually redirected the user to before trusting any token.

As an OIDC Provider, the engine publishes /.well-known/openid-configuration and a jwks_uri over public HTTPS with a CA-signed certificate and a byte-identical issuer value, so AWS, Azure and GCP can establish trust against it (see Workload Identity Federation).

// Edge RP: Authorization Code + PKCE with EXPLICIT S256 (defaults to
// `plain` if omitted — the top RP bug). state + nonce always sent.
use openidconnect::{PkceCodeChallenge, CsrfToken, Nonce, Scope};

let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();

let (auth_url, csrf_state, nonce) = client
    .authorize_url(CsrfToken::new_random, Nonce::new_random)
    .add_scope(Scope::new("openid".into()))
    .add_scope(Scope::new("email".into()))
    .set_pkce_challenge(pkce_challenge) // method = S256, explicit
    .url();

// On callback: verify `iss` (RFC 9207) matches the AS we redirected to,
// verify `state` == csrf_state, exchange code with pkce_verifier, then
// validate the ID token: iss exact, aud contains client_id, signature
// against the REGISTERED alg (never the token's self-declared `alg`),
// exp in the future, and nonce == the nonce we sent.

OAuth 2.1 consolidates a decade of security hard-won lessons (RFC 9700 / BCP 240) into one stricter baseline. Tessera builds to the OAuth 2.1 bar, which is forward-compatible with the published BCP: PKCE on every client, exact redirect-URI matching, no Implicit/ROPC/response_type=token, single-use authorization codes under ten minutes, and audience-restricted access tokens.

For browser and SPA clients the edge is the natural enforcement point for DPoP (RFC 9449) — a per-request signed proof that binds the token to the client’s key (cnf.jkt). Confidential clients are bound with mTLS (cnf.x5t#S256, RFC 8705) instead. Refresh tokens are rotated with reuse detection, so a stolen-and-replayed refresh token revokes the entire grant.

// DPoP proof verification at the edge (the natural enforcement point for
// browser/SPA clients). The proof is a signed JWT: typ=dpop+jwt, embedded
// jwk, with htm/htu/jti/iat (+ ath when an access token is presented).
fn verify_dpop(proof: &DpopProof, method: &str, url: &str, cnf_jkt: &str) -> bool {
    proof.typ == "dpop+jwt"
        && proof.htm.eq_ignore_ascii_case(method)
        && proof.htu == url
        && proof.iat_within_skew()
        && proof.jti_unused()                 // single-use
        && proof.thumbprint() == cnf_jkt      // bind to the access token's cnf.jkt
        && proof.verify_signature()           // against the embedded jwk
}

A JWT is only as safe as its verifier. Tessera follows the JWT BCP (RFC 8725) literally: an explicit algorithm allow-list, alg:none rejected, and one key bound to one algorithm so an attacker cannot downgrade an RS256 public key into an HS256 shared secret. Every token must carry an explicit typ and pass iss/aud/exp checks, which is what stops an ID token being replayed as an access token (RFC 9068).

Keys are never selected by the token: jku, x5u and inline jwk headers are ignored, and verification keys come only from a cached, allow-listed JWKS. The engine validates self-contained access tokens locally at the edge and reaches for introspection (RFC 7662) only when it needs real-time revocation of an opaque token.

// Pin the algorithm allow-list; never trust the token's own `alg`.
// One key bound to one algorithm defeats the RS256 to HS256 confusion attack.
use jsonwebtoken::{decode, Validation, Algorithm, DecodingKey};

let mut v = Validation::new(Algorithm::EdDSA); // internal tokens = EdDSA
v.algorithms = vec![Algorithm::EdDSA];          // explicit allow-list, no `none`
v.required_spec_claims = ["iss", "aud", "exp"].into_iter().map(String::from).collect();
v.set_audience(&[expected_aud]);
v.set_issuer(&[expected_iss]);
// typ must be `at+jwt` for access tokens (RFC 9068); jku/x5u/jwk in the
// token header are IGNORED — keys come only from our cached, allow-listed JWKS.
let data = decode::<Claims>(token, &DecodingKey::from_ed_components(/* ... */), &v)?;

SAML 2.0 remains a real enterprise on-ramp, but its XML Signature / canonical- ization machinery is hostile to a WASM edge and is the historical home of XML Signature Wrapping and, more recently, parser-differential CVEs (CVE-2025-25291/25292). Tessera therefore treats SAML as a brokered legacy on-ramp: a hardened broker (Cloudflare Access / WorkOS / Keycloak) terminates SAML and re-issues OIDC, so the edge engine never sits in the XML trust path.

Where SAML is validated, the rules are non-negotiable and fail-closed: one parser end-to-end, DTDs disabled, the signed reference must cover the exact assertion consumed, multiple assertions rejected, and signatures must be at least RSA-SHA256.

# SAML is brokered to OIDC, NOT hand-rolled in WASM (XML-DSig / c14n is
# unsafe in WASM and prone to XML Signature Wrapping). A broker terminates
# SAML and re-issues OIDC to the edge engine.
broker:
  upstream: okta-saml-app          # SAML SP lives in the broker
  downstream: oidc                 # edge engine only ever sees OIDC
  assertion_rules:
    single_parser: true            # one XML parser end-to-end
    reject_multiple_assertions: true
    disable_dtd: true              # XXE off
    min_signature_alg: RSA-SHA256  # reject SHA-1
    verify_reference_covers_consumed_assertion: true

SCIM 2.0 (RFC 7642/7643/7644) is the provisioning wire protocol, and the only real test of a SCIM service provider is that both Okta and Microsoft Entra drive it cleanly — and they disagree. Entra sends a capitalized op, can encode active as the string "False", and uses a no-path multi-attribute replace; Okta sends a no-path replace with a boolean. The Tessera SCIM endpoint absorbs all of it with one PATCH engine over a canonical attribute tree.

Two rules prevent the classic failures: active:false is a soft delete (the user stays GET-able), and an unknown-user filter returns a 200 empty ListResponse, never a 404 — which is exactly what Entra’s “Test Connection” probe checks. Everything is served as application/scim+json over TLS 1.2+.

// Absorb both IdP dialects: Entra sends capitalized `op` and (legacy)
// `active` as the STRING "False"; Okta sends a no-path replace. One
// PATCH engine handles add/replace/remove over a canonical attribute tree.
fn normalize_op(op: &str) -> Op { op.to_ascii_lowercase().parse().unwrap() }

fn parse_active(v: &serde_json::Value) -> bool {
    match v {
        serde_json::Value::Bool(b) => *b,
        serde_json::Value::String(s) => !s.eq_ignore_ascii_case("false"),
        _ => true,
    }
}
// active=false is a SOFT delete: the user stays GET-able (never hard-delete).
// Unknown user filter to 200 empty ListResponse (never 404); counts are integers.

Policy-as-code in Tessera is authored as OPA Rego v1 (OPA 1.0, Jan 2025, where if and contains are mandatory) and unit-tested with opa test, Regal lint, and conftest over Terraform plan JSON. But at runtime the edge cannot nest OPA-compiled-WASM inside a V8 Worker, so evaluation is done by Regorus — a pure-Rust Rego interpreter (Microsoft) that compiles to wasm32 and becomes the Worker.

The policy is role-centric RBAC-A: a role sets the envelope and ABAC may only narrow it. default allow := false, and the policy-enforcement point (the edge Worker) fails closed on any error, timeout, or undefined result. Because Regorus has no decision-log plugin, the Rust host emits OPA-shaped decision logs with masking applied before anything leaves the edge.

# Rego v1: `if` / `contains` mandatory. Default-deny; role-centric RBAC-A
# where ABAC may only narrow, never expand.
package authz

default allow := false

allow if {
    role_permits
    every constraint in abac_constraints { constraint }
}

role_permits if {
    some role in input.subject.roles
    data.role_permissions[role][input.action][input.resource.type]
}

Tessera blends the two NIST access-control models without picking a side. RBAC (INCITS 359) is simple and auditable; ABAC (SP 800-162) is flexible. The bridge the standard itself suggests — “a role may be viewed as a subject attribute” — becomes role-centric RBAC-A: the role sets the permission envelope and attribute rules may only narrow it. An access change recalculates grant = target - current and revoke = current - target; an add-only update would silently accumulate privilege.

Authorization is expressed over NIST’s four input categories — subject (with roles), resource, action, and environment — with roles and bindings living in data and the per-request facts in input. Separation of Duties is a Rego matrix evaluated both at request time (preventive) and during periodic review sweeps (detective).

# NIST four input categories: subject / resource / action / environment.
# ABAC constraints only NARROW the role-granted envelope (add-only would be a bug).
package authz

abac_constraints contains "within_business_hours" if {
    input.environment.time_hour >= 9
    input.environment.time_hour < 18
}

# Separation of Duties as a Rego matrix — evaluated preventively (request
# time) and detectively (review sweeps).
sod_violation if {
    some a, b in input.subject.roles
    data.sod_matrix[a][b]
}

Zero Trust (NIST SP 800-207) removes implicit trust from the network and makes every request prove itself. The load-bearing tenet for Tessera is continuous verification: the engine re-evaluates authorization per request with a fresh environment (device, time, risk) and never caches an allow decision for the life of a session.

The architecture maps onto the standard’s roles exactly: the edge Worker is the Policy Enforcement Point and carries no policy logic; the Regorus-evaluated bundle is the Policy Engine; and the Go control plane is the Policy Administrator that mints and revokes sessions and signs and pushes policy bundles. Decisions are server-side, deny-by-default, and fail closed.

// Zero Trust tenet #3/#6: re-evaluate authorization PER REQUEST with fresh
// environment input — never cache an allow decision for the session.
async fn handle(req: Request, ctx: Ctx) -> Result<Response> {
    let input = Input {
        subject: ctx.session.subject(),          // who, + roles
        action: req.action(),
        resource: req.resource(),
        environment: ctx.fresh_environment(),     // device, time, risk — fresh each call
    };
    // PEP = this edge Worker (no policy logic). PE = Regorus bundle.
    match ctx.regorus.eval_allow(&input).await {
        Ok(true) => proceed(req).await,
        _ => Response::forbidden(), // fail closed on deny/error/undefined
    }
}

Go is where the control plane lives — native, idiomatic Go with the real AWS, Azure and GCP SDKs, running as scheduled GitHub Actions and locally (not TinyGo on Workers, which can’t load those SDKs). It drives the Joiner-Mover- Leaver lifecycle, risk-tiered access reviews, and federation orchestration.

Its most important correction is the Leaver saga. Setting SCIM active=false only blocks the next login; live sessions and refresh tokens stay valid. So offboarding is a four-step saga that must all go green: disable in SCIM, revoke the OAuth grant and refresh tokens (RFC 7009), terminate sessions via OIDC Back-Channel Logout, and revoke API keys. For-cause offboards run immediately (under five minutes); routine ones run at termination via Cron.

// Leaver is a SAGA, not a flag flip: active=false alone leaves live sessions
// and refresh tokens valid. All four steps must go green to be "offboarded".
func Offboard(ctx context.Context, id Identity) error {
    if err := scim.Disable(ctx, id); err != nil { return err }            // 1. SCIM active=false
    if err := oauth.RevokeGrant(ctx, id); err != nil { return err }       // 2. RFC 7009
    if err := oidc.BackChannelLogout(ctx, id); err != nil { return err }  // 3. terminate sessions
    return apikeys.RevokeAll(ctx, id)                                     // 4. revoke API keys
}

The edge identity engine is Rust compiled to wasm32 and run on Cloudflare Workers via the first-class workers-rs. That target has one governing rule: anything that links C or assembly crypto (ring, aws-lc-rs, OpenSSL) will not build, so the whole crate set is pure Rust — jsonwebtoken on the rust_crypto backend, ed25519-dalek for internal signing, pasetors for sessions, and regorus for policy.

Two footguns are designed out: randomness must be explicitly wired to crypto.getRandomValues (the wasm_js getrandom feature and the matching rustflag — the number-one cause of broken builds), and RSA signing/keygen is delegated to WebCrypto SubtleCrypto rather than the rsa crate, which carries the RUSTSEC-2023-0071 Marvin timing advisory.

# wasm32-unknown-unknown: C/asm crypto won't build (no ring/openssl).
# Randomness MUST be wired: feature `wasm_js` AND the rustflag below.
[dependencies]
worker = { version = "0.8", features = ["http", "d1"] }
jsonwebtoken = { version = "10.4", default-features = false, features = ["use_pem", "rust_crypto"] }
ed25519-dalek = { version = "2.2", default-features = false, features = ["rand_core", "pkcs8", "zeroize"] }
regorus = { version = "0.10", default-features = false, features = ["arc", "regex", "semver"] }
getrandom = { version = "0.3", features = ["wasm_js"] }
# .cargo/config.toml => [target.wasm32-unknown-unknown]
#   rustflags = ['--cfg', 'getrandom_backend="wasm_js"']

Terraform owns the multi-cloud identity-trust plane: the OIDC trust that lets AWS, Azure and GCP accept tokens from the edge engine. Following the HashiCorp style guide, that is three thin per-cloud modules — aws-oidc-trust, gcp-wif, azure-fic — composed in a single root, rather than a leaky “universal federation” abstraction, because the three clouds genuinely differ.

State lives on Cloudflare R2 through the s3 backend with the native use_lockfile (DynamoDB locking is deprecated). The trust conditions — exact aud and exact sub, never wildcards — are unit-tested with terraform test and mock_provider, so the confused-deputy guardrails are verified without ever calling a cloud API.

# State on Cloudflare R2 via the s3 backend, native S3 lockfile (TF >= 1.11).
# DynamoDB locking is DEPRECATED — do not use it.
terraform {
  required_version = ">= 1.11"
  backend "s3" {
    bucket                      = "tessera-tfstate"
    key                         = "federation/terraform.tfstate"
    region                      = "auto"
    use_lockfile                = true
    skip_credentials_validation = true
    skip_metadata_api_check     = true
    skip_region_validation      = true
    skip_requesting_account_id  = true
    skip_s3_checksum            = true
    use_path_style              = true
  }
}

AWS CDK provisions exactly one AWS slice — the access-review pipeline (EventBridge to Step Functions to DynamoDB) — shown alongside Terraform to demonstrate both IaC styles. The ownership boundary is strict: CDK owns this in-account app slice; Terraform owns the multi-cloud trust plane, and neither tool’s state references a resource the other created except as a read-only import.

The build enforces cdk-nag v3, whose API changed from the pattern most tutorials still show: it is Validations.of(app).addPlugins(new AwsSolutionsChecks()), with suppressions acknowledged with a written reason. env is pinned so fromLookup works, and every stateful resource is RemovalPolicy.DESTROY so the ephemeral demo tears down to zero.

// cdk-nag v3 API (most tutorials are stale): Validations.of().addPlugins(),
// NOT Aspects.of().add(). Suppress with reasons via .acknowledge().
import { App } from 'aws-cdk-lib';
import { Validations } from 'aws-cdk-lib';
import { AwsSolutionsChecks } from 'cdk-nag';
import { AccessReviewStack } from '../lib/access-review-stack';

const app = new App();
new AccessReviewStack(app, 'AccessReviewStack', {
  env: { account: process.env.CDK_ACCOUNT, region: 'us-east-1' }, // pinned env
});
Validations.of(app).addPlugins(new AwsSolutionsChecks({ verbose: true }));

Multi-cloud federation needs trust plus short-lived token exchange, not running cloud compute — which is why Tessera’s live federation into AWS, Azure and GCP is genuinely keyless and free. The edge engine, acting as an OIDC Provider, mints a distinct RS256 token per cloud (the only algorithm all three accept; Azure is RS256-only), each with that cloud’s correct aud.

The single most important rule, learned from real confused-deputy breaches, is applied identically to all three: pin exact aud and exact sub, never a wildcard. Each cloud then adds its own quirk — AWS drops the obsolete thumbprint and requires a publicly reachable JWKS, GCP uses direct resource access with a CEL condition and a 24h token limit, and Azure needs an app-registration FIC plus a propagation delay and retry because new credentials take minutes to take effect.

# The confused-deputy lesson applied to all three clouds: pin aud EXACT and
# sub EXACT (StringEquals, never StringLike / wildcards).
resource "aws_iam_role" "federated" {
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect    = "Allow"
      Principal = { Federated = aws_iam_openid_connect_provider.edge.arn }
      Action    = "sts:AssumeRoleWithWebIdentity"
      Condition = {
        StringEquals = {
          "${local.issuer_host}:aud" = var.aws_client_id        # exact
          "${local.issuer_host}:sub" = var.expected_subject      # exact, no wildcard
        }
      }
    }]
  })
}

Cloudflare Workers is the entire edge platform for Tessera, and each concern maps to the primitive that fits its consistency needs. The engine, SCIM endpoint and OIDC Provider run as a Rust/WASM Worker. Sessions are opaque tokens backed by a single-writer Durable Object, so “log out everywhere” and revocation are strongly consistent and instant — KV is only ever a read-cache, never the sole revocation authority because it is eventually consistent.

The audit log is the system of record on R2 with Bucket Locks (WORM-style, though not S3 Compliance mode, so an app-level hash chain is added). Discovery and JWKS documents are cached in KV and the Cache API with single-flight refresh to absorb DoS, and the engine respects the platform’s hard limits: a 3 MB free bundle, a 400 ms startup-CPU budget, and outbound calls only through fetch.

// Sessions are OPAQUE tokens backed by a single-writer Durable Object, so
// "log out everywhere" / revocation is instant. KV is a read-cache only —
// never the sole revocation authority (it is eventually consistent).
#[durable_object]
pub struct SessionStore { state: State }

impl SessionStore {
    pub async fn revoke_all(&self, subject: &str) -> Result<()> {
        // strong consistency: subsequent reads see the revocation immediately
        self.state.storage().delete_all().await
    }
}

Every deploy in Tessera runs through hardened GitHub Actions. The two load-bearing controls are SHA-pinning and keyless OIDC. Tags are mutable — the tj-actions/changed-files incident (CVE-2025-30066) silently re-pointed every tag, and only SHA-pinned consumers were safe — so every third-party action is pinned to a commit SHA with Dependabot keeping it fresh.

Cloud access is keyless: jobs request short-lived credentials via OIDC with zero static keys, and the trust is pinned to a GitHub Environment subject. Build artifacts (the WASM engine, the CDK assets) get SLSA provenance via actions/attest-build-provenance (Build L2 by default on hosted runners), and consumers verify that provenance with --certificate-identity rather than trusting that something is merely signed.

# SHA-pin every third-party action (tags are movable — the tj-actions
# CVE-2025-30066 re-pointed all tags; SHA-pinned users were safe).
# Top-level read-only token; escalate per job. Keyless OIDC pinned to env.
permissions:
  contents: read
jobs:
  deploy:
    environment: production           # pin OIDC subject to the environment
    permissions:
      contents: read
      id-token: write                 # keyless OIDC, zero static cloud keys
      attestations: write             # SLSA provenance
    steps:
      - uses: step-security/harden-runner@<pinned-sha>   # audit -> block egress
      - uses: actions/checkout@<pinned-sha>

The site’s signature is a live 3D identity-flow graph, used because it is genuinely informational — you watch a token flow from the IdP through the edge engine and into the clouds — not as decoration. It is one capability-gated client:only Astro island; everything else on the site is static with zero client JS.

Accessibility is designed in, not bolted on. A semantic SVG graph is the source of truth, and the same artifact serves triple duty: the screen-reader- accessible equivalent, the prefers-reduced-motion alternative, and the low-end fallback. Node types are distinguished by icon and label (never color alone), contrast stays >=4.5:1 on the light theme, a visible Pause control exists, and pulses stay under three per second. The poster image — not the canvas — is the LCP element, and the canvas box is reserved with aspect-ratio so layout never shifts.

// The SVG graph is the source of truth and triple-duties as the a11y
// equivalent, the reduced-motion alternative, and the low-end fallback.
function decideRenderMode(i: CapabilityInputs): RenderMode {
  if (i.reducedMotion || i.saveData) return 'poster';   // static poster = LCP
  if (!i.webgl || i.gpuTier <= 1 || i.cores < 4) return 'svg';
  if (i.gpuTier === 2) return 'webgl-lite';
  return 'webgl-full';
}
// R3F discipline: frameloop="demand", drei Instances, dispose={null},
// never setState per frame — mutate refs / shader uniforms in useFrame.