Identity Service — Epics
Service: identity-service Epic prefix: IDENT-EPIC Last updated: 2026-04-18
Epics
IDENT-EPIC-01 — Authentication and user identity lifecycle
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Deliver secure authentication, session management, and user lifecycle |
| Status | In Progress |
| Priority | Must |
| Labels | service:identity, domain:identity, slice:S0 |
| Components | auth-module, session-module, user-lifecycle |
| Fix version | M0 |
| FR references | FR-IDENT-AUTH-001..010, FR-IDENT-USR-001..006 |
| Legacy FR refs | FR-IAM-AUTH-001..010, FR-IAM-USR-001..006 |
| Dependencies | IDENT-EPIC-04 (MFA), cross-service: TENANT-EPIC-01 |
| Rollup status | Partial |
Business outcome: Every user on the platform can authenticate securely using email+password (with argon2id), receive a short-lived JWT, and have their session lifecycle managed consistently. Tenant admins can create, suspend, and deactivate users with auditable state transitions.
Description: Delivers the foundational authentication surface: password-based login, session issuance (15-min JWT + 8-h refresh), refresh rotation with replay detection, logout (single + all sessions), and the full user lifecycle (register → verify email → active → suspend → deactivate). All auth outcomes are emitted as domain events for consumption by tenant-service and communication-service. Freeze point F01 (JWT claims shape) and F03 (branded value objects) are locked at end of M0.
Stories: IDENT-US-001, IDENT-US-002, IDENT-US-003, IDENT-US-004
IDENT-EPIC-02 — Device registration and offline binding
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Device registration, trust promotion, and offline binding certificates |
| Status | To Do |
| Priority | Must |
| Labels | service:identity, domain:identity, slice:S1 |
| Components | device-module, binding-cert |
| Fix version | M1 |
| FR references | FR-IDENT-DEV-001..005 |
| Legacy FR refs | FR-IAM-AUTH-007 (device fingerprint) |
| Dependencies | IDENT-EPIC-01 |
| Rollup status | Not started |
Business outcome: Clinical users in low-connectivity settings can pre-register their devices and receive offline binding certificates. Downstream services (patient-chart, document) derive encryption keys from the binding event, enabling secure offline access.
Description:
Implements device registration (fingerprint + public key), trust promotion flow (untrusted → trusted), and issuance of short-lived X.509-style offline binding certificates via KMS. Maximum cert lifetime is 30 days. Revocation is handled immediately on logout-all or admin revoke. The identity.device.bound_for_offline.v1 event is consumed by content and chart services for key derivation.
Stories: IDENT-US-005, IDENT-US-006
IDENT-EPIC-03 — API keys and service accounts
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Tenant API key and service account lifecycle governance |
| Status | To Do |
| Priority | Must |
| Labels | service:identity, domain:identity, slice:S1 |
| Components | api-key-module, service-account-module |
| Fix version | M1 |
| FR references | FR-IDENT-SVC-001..003 |
| Legacy FR refs | FR-IAM-SVC-001..003 |
| Dependencies | IDENT-EPIC-01 |
| Rollup status | Not started |
Business outcome: M2M integrations and internal services can authenticate using scoped API keys and client-credentials service accounts. Platform operators have full visibility and rotation controls.
Description: Provides API key CRUD with HMAC-backed secret returned once, rotation with overlap window, and revocation. Service accounts are Keycloak confidential clients managed via identity-service with create, rotate, and revoke semantics. All operations emit audit events and are visible in admin endpoints.
Stories: IDENT-US-007
IDENT-EPIC-04 — MFA and adaptive authentication
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | TOTP and WebAuthn MFA enrollment, verification, adaptive challenge |
| Status | To Do |
| Priority | Must |
| Labels | service:identity, domain:identity, slice:S0/S4 |
| Components | mfa-module |
| Fix version | M1 (TOTP+WebAuthn basic), M3 (adaptive) |
| FR references | FR-IDENT-MFA-001..006 |
| Legacy FR refs | FR-IAM-AUTH-005 (MFA policy) |
| Dependencies | IDENT-EPIC-01 |
| Rollup status | Not started |
Business outcome: Clinical roles and tenant admins can enforce MFA. Adaptive MFA challenges high-risk sessions (new device, geo anomaly). Recovery codes provide break-out path.
Description: Delivers TOTP enrollment (provisioning URI, seed via KMS-wrapped secret), TOTP verification during login, WebAuthn platform authenticator registration and assertion. Recovery codes (up to 10, single-use hashed). Adaptive MFA (risk score > threshold triggers challenge) is scoped to S4/M3.
Stories: IDENT-US-008, IDENT-US-009
IDENT-EPIC-05 — Federated identity (OIDC and SAML)
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | OIDC generic, Keycloak broker, SAML 2.0 SP, JIT provisioning |
| Status | To Do |
| Priority | Should |
| Labels | service:identity, domain:identity, slice:S2/S4 |
| Components | federation-module |
| Fix version | M2 (OIDC + Keycloak), M3 (SAML) |
| FR references | FR-IDENT-FED-001..006 |
| Legacy FR refs | FR-IAM-AUTH-008 (OIDC), FR-IAM-AUTH-009 (SAML) |
| Dependencies | IDENT-EPIC-01 |
| Rollup status | Not started |
Business outcome: Enterprise tenants can use their existing corporate IdPs (Azure AD, Okta, Google Workspace) or Keycloak realms without migrating credentials. All federated paths produce a stable Ghasi JWT.
Description: Implements OIDC Authorization Code + PKCE flow (generic + Keycloak broker), SAML 2.0 SP with encrypted assertions, JIT user provisioning, and ExternalIdentity linkage. All flows re-mint a Ghasi JWT (F01/F03 preservation). Circuit breaker protects against upstream IdP outages.
Stories: IDENT-US-010, IDENT-US-011
IDENT-EPIC-06 — Access context aggregation
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Aggregated access context for UI gating and policy checks |
| Status | To Do |
| Priority | Must |
| Labels | service:identity, domain:identity, slice:S0 |
| Components | access-context-module |
| Fix version | M0 |
| FR references | FR-IDENT-CTX-001..003 |
| Legacy FR refs | FR-IAM-CTX-001, FR-IAM-PROV-003 |
| Dependencies | IDENT-EPIC-01, cross-service: TENANT-EPIC-02 |
| Rollup status | Not started |
Business outcome: Client applications can fetch a single aggregated view of roles, memberships, and effective modules for the authenticated user, enabling consistent UI gating without multiple service calls.
Description:
GET /api/v1/me/access-context assembles: roles and memberships (tenant-service), effective license modules (internal licensing resolver). Result is cached with 5-min TTL and event-invalidated on role change or license status change.
Stories: IDENT-US-012
IDENT-EPIC-07 — Module licensing catalogue and assignments
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Module catalogue, license assignments, effective resolver with inheritance |
| Status | To Do |
| Priority | Must |
| Labels | service:identity, domain:licensing, slice:S1 |
| Components | licensing-module |
| Fix version | M1 |
| FR references | FR-IDENT-LIC-001..012 |
| Legacy FR refs | FR-LICN-001..012 |
| Dependencies | IDENT-EPIC-01, cross-service: TENANT-EPIC-01 (node hierarchy) |
| Rollup status | Not started |
Business outcome: Super admins can govern which modules are available at which hierarchy nodes. License status transitions (trial → active → suspended → expired → terminated) are enforced with full history. Effective license sets drive module-gating across all services.
Description:
Module catalogue is a globally unique, immutable-code registry. License assignments are node-scoped with exact or inherit-down scopes. The effective resolver walks ancestor hierarchy (from tenant-service), overlays deeper-wins rule, and caches per (tenantId, providerId, nodeId) with 5-min TTL. Always-on modules cannot be suspended or terminated (BR-LIC-003). License events are emitted for all status changes.
Stories: IDENT-US-013, IDENT-US-014, IDENT-US-015
IDENT-EPIC-08 — Reliability, security, and operational quality
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Coverage gates, observability, GDPR, HIPAA, and migration completion |
| Status | To Do |
| Priority | Must |
| Labels | service:identity, domain:platform, slice:S0..S4 |
| Components | cross-cutting |
| Fix version | M0..M3 (rolling) |
| FR references | FR-IDENT-NFR-001..008 |
| Legacy FR refs | ENH-IAM-005..007 |
| Dependencies | All other IDENT-EPICs |
| Rollup status | Not started |
Business outcome: identity-service meets platform-wide reliability, security, and compliance requirements, enabling trust from all downstream services and regulatory bodies.
Description: Covers: unit + integration coverage ≥ 80%, tenant-isolation tests, outbox/inbox mandatory tests, OpenTelemetry instrumentation, SLO dashboards, security runbooks, GDPR erasure propagation, HIPAA audit trail, JWKS rotation automation, and legacy event alias decommission at M2.
Stories: IDENT-US-016, IDENT-US-017