EP-MEL-17 — Identity, Auth, Multi-Tenant RBAC, MFA, SSO, Device Binding
Companion: Backlog README ·
EPICS.md· canonical:07-epics-and-user-stories.md§19
Summary
| Wave | R1 (+ chain SSO in R2) |
| Priority | P0 |
| Primary owner | iam-service |
| Participating services | tenant-service, staff-service, bff-backoffice-service, notification-service |
| Journeys realised | J-13 (Onboard tenant), J-14 (Onboard chain) |
| Workflows | WF-12 |
| Frontend surfaces | All authenticated surfaces |
| Story count | 7 |
Outcome
Identity is centrally managed: JWT issuance with key rotation; multi-tenant RBAC with role-per-membership; MFA via TOTP + WebAuthn passkeys; OIDC/SAML SSO for chain operators; device binding for desktop offline sessions; password reset & recovery; immutable audit log of authn events.
Cross-cutting AC for this epic
- All authn events (
login.success,login.failure,mfa.challenge,password.reset,device.bound) emit toaudit-service. - JWT keys rotated via Secret Manager + KMS; client refresh transparent.
- Tenant scope enforced both at JWT (
tidclaim) and RLS layer; cross-checked. - Device binding uses hardware-backed key where available; falls back to OS keystore.
Stories
| ID | Title |
|---|---|
| US-MEL-0126 | JWT issuance & rotation |
| US-MEL-0127 | RBAC with tenant scope |
| US-MEL-0128 | MFA with TOTP and WebAuthn passkeys |
| US-MEL-0129 | OIDC/SAML SSO for chain operators |
| US-MEL-0130 | Device binding for desktop offline sessions |
| US-MEL-0131 | Password reset & recovery |
| US-MEL-0132 | Audit log of authn events |
Full AC in
../07-epics-and-user-stories.md§19.
Implementation status (monorepo)
See IMPLEMENTATION_STATUS.md — US-MEL-0126 (JWT issuance & rotation) is In progress as of 2026-04-23 (signing + JWKS + sessions schema; login/refresh/logout still open). US-MEL-0127–0132 are not started in code.
Cross-references
- Security & multi-tenancy:
../07-security-compliance-tenancy.md - Definition of Done (Security section):
../standards/DEFINITION_OF_DONE.md