Skip to content
IDToken

Security & Deployment

This guide covers the IDToken Auth Server’s security model and production deployment configuration.

Security Model

Section titled “Security Model”

Authentication Layers

Section titled “Authentication Layers”
LayerMechanismDetails
TransportTLS 1.3Via Cloudflare reverse proxy (HTTPS + WSS)
User authECDSA P-256Mobile app signs sessions with enrolled key pair
OTPHMAC-SHA256Server-generated, derived from master secret + session context
JWTES256Signed with server’s ECDSA P-256 key
WebSocketHMAC tokenConstant-time verification prevents timing attacks
AdminJWT + scopesRole-based access control for admin endpoints

Attack Mitigations

Section titled “Attack Mitigations”
AttackMitigation
Brute-force OTPMax 3 attempts per session, then HTTP 429
ReplaySessions are single-use, deleted after verification
MitMOut-of-band OTP delivery via FCM; response hash for anti-forgery
PhishingMutual authentication — user verifies service via OTP match
TimingConstant-time HMAC comparison for wsToken and OTP
Rate abusePer-route rate limiting (10/min auth, 5/hr enroll)
XSS / injection@fastify/helmet CSP headers, Zod input validation
DDoSCloudflare edge protection

Cryptographic Algorithms

Section titled “Cryptographic Algorithms”
PurposeAlgorithmKey Size
VDS signaturesECDSA P-256256-bit
JWT signingES256 (ECDSA P-256)256-bit
OTP derivationHKDF + HMAC-SHA256256-bit
Response hashHMAC-SHA256256-bit
SAML signingECDSA or RSA256-bit / 2048-bit
SAML encryptionAES-128 + RSA-OAEP128-bit / 2048-bit

Audit Trail

Section titled “Audit Trail”

All security-relevant events are logged to an immutable audit table in PostgreSQL:

  • INSERT-only (UPDATE/DELETE blocked by PostgreSQL rules)
  • Indexed on token_id, event_type, occurred_at
  • OTP values are never stored in plaintext (only SHA-256 hash)
  • Client IP and user agent captured per event

See Admin API for querying the audit log.

Multi-Instance Deployment

Section titled “Multi-Instance Deployment”

The server supports horizontal scaling with multiple instances:

  • Stateless sessions — No sticky sessions required; any instance can handle any request
  • Real-time event delivery — WebSocket events are delivered correctly regardless of which instance the browser is connected to
Load Balancer (Cloudflare)Instance 1Instance 2Instance 3PostgreSQLRedis

Health Monitoring

Section titled “Health Monitoring”

The GET /health endpoint returns dependency status:

{
  "status": "ok",
  "version": "1.0.0",
  "checks": {
    "database": "ok",
    "redis": "ok",
    "vdsTrust": "ok"
  }
}
  • status: "ok" — all dependencies healthy
  • status: "degraded" — one or more dependencies unhealthy

Use this endpoint for container health checks and load balancer probes.

Deployment Configuration

Section titled “Deployment Configuration”

Infrastructure Requirements

Section titled “Infrastructure Requirements”
ComponentSpecification
RuntimeNode.js 22 LTS
DatabasePostgreSQL 17+
CacheRedis 8+
Edge proxyTLS termination, DDoS protection, WebSocket support
Push serviceFirebase Cloud Messaging

Key Management

Section titled “Key Management”
KeyFormatPurpose
Server signing keyECDSA P-256 PEMJWT and Service VDS signing
SAML signing keyECDSA or RSA PEMSAML assertion signing
SAML encryption keyECDSA or RSA PEMSAML assertion encryption (optional)
OTP master secret32+ byte hexOTP derivation and HMAC computations

All private keys should be generated with strong randomness, stored with restricted file permissions, rotated periodically, and never committed to version control.

Database Migrations

Section titled “Database Migrations”

Migrations run automatically on server startup and are idempotent:

MigrationPurpose
001_initEnable cryptographic extensions
002_enrollmentsEnrollment and session tables
003_audit_logImmutable audit log
004_admin_operatorsConsole operator management
005_saml_service_providersSAML SP registration
006_service_scopesService registration and consent tracking