Tessera
Built by Vladimir Kamenevburademirung@gmail.com512 3369618GitHub

STANDARDS & TECHNOLOGIES

Standards & technologies

Each technology is built to the standards it follows, with the best practices applied — and every claim is backed by a cited source. Everything here is also on the single page.

OpenID Connect (OIDC)

The engine is an OIDC Relying Party to Okta and Entra, and a real OIDC Provider that the clouds trust.

OAuth 2.1 · PKCE · DPoP

Built to the stricter OAuth 2.1 bar — PKCE everywhere, exact redirect matching, and DPoP sender-constrained browser tokens.

JSON Web Tokens (JWT)

One key, one algorithm, an explicit allow-list, and token key-URLs ignored — defeating alg-confusion and SSRF.

SAML 2.0 (brokered)

Consumed via a hardened broker, never hand-rolled XML-DSig in WASM — defending against XML Signature Wrapping and parser differentials.

SCIM 2.0

A service provider that passes both Okta CRUD and the Microsoft SCIM Validator — absorbing both Entra PATCH dialects.

OPA / Rego v1 · Regorus

Rego v1 policy authored and `opa test`-ed, evaluated at the edge by Microsoft Regorus (pure-Rust Rego), fail-closed.

RBAC / ABAC (policy-as-code)

Role-centric RBAC-A per NIST — the role sets the envelope, attributes only narrow it; SoD evaluated preventively and detectively.

Zero Trust (NIST SP 800-207)

Authorize per request, not per session — the edge is the PEP, Regorus is the PE, the Go control plane is the PA.

Go (control plane)

Native idiomatic Go orchestrator running the JML lifecycle and a multi-step offboarding saga with the real cloud SDKs.

Rust (edge engine to WASM)

The identity engine compiled to wasm32 on Cloudflare Workers — pure-Rust crypto, WebCrypto for RSA, randomness wired to crypto.getRandomValues.

Terraform

Three thin per-cloud trust modules composed in one root, state on R2 with native lockfile, tested with mock providers.

AWS CDK

A TypeScript app provisioning the one AWS access-review slice — cdk-nag v3 enforced, RemovalPolicy.DESTROY for clean teardown.

Workload Identity Federation (AWS · Azure · GCP)

Keyless, free, live federation into all three clouds — a distinct RS256 token per cloud, exact aud + exact sub, no wildcards.

Cloudflare Workers

The whole edge platform — Workers, Durable Objects for single-writer sessions, R2 WORM audit, KV as read-cache only.

CI/CD · SLSA supply chain

Hardened GitHub Actions — SHA-pinned, keyless OIDC to the clouds, SLSA provenance attested and verified on consume.

3D frontend · WCAG 2.2 AA

A live R3F flow graph that is purposeful, not gimmicky — with a semantic SVG that is the source of truth, the reduced-motion alt, and the low-end fallback all at once.