OIDC/OAuth 2.1 server with Passkeys, federation across 10+ providers (Google, GitHub, Telegram, VK, Yandex, Mail.ru, OK.ru, Apple, Microsoft, Discord), ReBAC authorization via OpenFGA, PAT and API keys, audit log, and Vault-orchestrated service credentials. Every Arcanada service delegates identity to Auth Arcana — no service runs its own user table.
Capabilities
- OIDC / OAuth 2.1 with PKCE
- Passkeys (WebAuthn) and federation (10+ providers)
- ReBAC authorization via OpenFGA
- Personal access tokens (arc_pat_*)
- Service-account flow with Vault credential issuance
Current autonomy level
L2
Weakest link
Phase 0 (foundation only) — minimal runtime, no health endpoint yet, no observability stack wired.
Roadmap to L4
- L2 lift — /health endpoint, classified errors, deploy reporting to Ops Bot.
- L3 lift — pino structured logs to Loki, heartbeat, post-deploy smoke gate, validated credentials at startup.
- L4 lift — Vault circuit breaker, PostgreSQL HA fallback, recovery audit log, hard rate-limit CB on every endpoint.