RDN Identity
RDN Identity
About
LoginSign Up
RDN Identity

About RDN Identity

Enterprise identity and access management platform

Overview

RDN Identity is a full-featured identity management platform built on .NET 10 and Next.js 16. It provides comprehensive authentication, authorization, and user management across 38 API controllers with 106 fine-grained permissions and 65 webhook event types.

Authentication

The platform supports multiple authentication methods to meet different security requirements:

  • Passkey / WebAuthn (FIDO2) — passwordless authentication using device biometrics, security keys, or platform authenticators.
  • Passwordless OTP login — sign in with a one-time code sent via Email or SMS. No password required.
  • Multi-channel verification — cascading fallback through Passkey, SMS, WhatsApp, and Email channels with configurable priority. SMS via Azure Communication Services, WhatsApp via Twilio.
  • Two-factor authentication — TOTP authenticator apps, SMS codes, WhatsApp codes, email-based codes, passkey challenge, and one-time recovery codes with QR code setup.
  • Magic links & QR code login — passwordless email links and QR code login (QR code emailed to user) with time-limited, hashed tokens.
  • Social login — Google, GitHub, Microsoft, Amazon, LinkedIn, and X (Twitter) with auto-registration and email-based account linking.
  • JWT tokens — 12 signing algorithms across HMAC, RSA (PKCS#1), RSA-PSS, and ECDSA families with 2048/4096-bit RSA support, JWKS endpoint, key rotation, rotating refresh tokens, and IP-based audit trails.

OAuth 2.0 / OpenID Connect

A built-in OAuth 2.0-compliant authorization server implements the OAuth 2.0 and OpenID Connect specifications, including authorization code flow with PKCE (S256), Device Authorization Grant for input-constrained devices, DPoP proof-of-possession token binding, user consent management, token introspection (RFC 7662), token revocation (RFC 7009), and OpenID Connect Discovery with a published JWKS endpoint. Implicit and ROPC grants are rejected by design.

OAuth clients, scopes, and claims are fully manageable through the admin dashboard. Custom claims can be defined and mapped to scopes, which are then assigned to clients. Each client supports custom branding with a logo URI and login page title.

Single Sign-On (SSO)

The platform provides OIDC-based single sign-on with full session management. Users authenticate once and access all connected applications without re-entering credentials.

Session-aware tokens support configurable re-authentication policies. On sign-out, back-channel logout notifications are sent to all connected client applications, enabling per-session sign-out across the entire federation.

Multi-Tenancy & Tenant Lifecycle

Organizations are represented as tenants with full data isolation. Each tenant follows a four-state lifecycle:

  • Pending — newly registered, awaiting admin approval. All users are blocked from login.
  • Active — approved and operational. Users can log in if individually approved.
  • Suspended — temporarily disabled by an admin. All users are blocked from login.
  • Disabled — permanently deactivated. All users are blocked from login.

Administrators manage transitions through the admin dashboard. Users are notified by email when their tenant is activated or suspended.

Account Approval

Self-registered users do not receive immediate access. After completing registration and email verification, the account enters a pending state. An administrator reviews and approves both the tenant and individual user accounts before login is permitted. Admin-created accounts bypass this gate and are approved on creation.

Registration Flow

New users register through a three-step email-verified process:

  1. Enter name, email, and optional phone number. A 6-digit OTP is sent to the provided email.
  2. Verify the OTP code. The registration token is upgraded to continue.
  3. Set a password to complete account creation. The new tenant and user are created in a pending state.

If a phone number is provided during registration, SMS consent is recorded for TCPA/GDPR compliance. The verification code can also be delivered via SMS when a phone number is provided.

Password Reset & Account Recovery

Users can reset their password via email (traditional flow) or via SMS by receiving a 6-digit verification code to their verified phone number. The SMS flow enables password recovery without email access.

A separate account recovery flow is available for users who have lost access to their email entirely. By verifying identity through a phone number, users receive a password reset token and can set a new password to regain access.

Password Expiration

Tenants can configure a password expiration policy with a customizable expiration period. When enabled, all authentication flows check whether the user's password has expired. Expired users are redirected to a password change form before access is granted. Expiration warnings are sent automatically as the deadline approaches.

Per-Client Configuration

Each OAuth client can be independently configured with:

  • Allowed login methods — toggle which authentication methods (password, passkey, magic link, QR code, email OTP, SMS OTP, social providers) are available on the client's login page.
  • Feature toggles — enable or disable self-registration, password reset, and account recovery per client.
  • Login page branding — custom logo URI and page title displayed when users authenticate through the client.

When no login methods are explicitly selected, all globally-enabled methods are available by default.

Notifications

Users can opt in to receive notifications for security-relevant events such as sign-in alerts, password changes, and password expiration warnings. Notifications are delivered via SMS or Email based on per-user granular preferences, with a global master switch to disable all notifications at once.

Every notification sent is logged to an audit trail with recipient, channel, delivery status, IP address, and user agent for full observability.

API Key Management

The platform supports API key authentication for partner integrations. Keys are stored using one-way hashing and the raw key is only shown once at creation. Keys can be created, listed, revoked, and deleted through the admin dashboard.

MCP Server & AI Agent Chat

A built-in MCP (Model Context Protocol) server exposes 100 tools that cover users, tenants, roles, OAuth clients, scopes, claims, webhooks, addresses, phone numbers, email addresses, API keys, and system settings. The admin panel includes an AI agent chat interface powered by Claude that connects to the MCP server, enabling natural language platform administration with per-conversation model selection and SSE streaming.

License System & Feature Flags

The platform includes a comprehensive license system with 27 licensable feature flags across 11 categories (CoreAuth, Passwordless, MultiFactor, External, OAuth, SecurityPolicy, Tenancy, Messaging, BrandingUx, Compliance, Platform) and 4 usage limit types. License tokens are encrypted at rest and validated on every request. Features and usage limits are enforced automatically based on the active license tier, with heartbeat-based token renewal for paid subscriptions.

Runtime Configuration

Database-backed runtime configuration provides 11 categories covering email, SMS, external providers, webhooks, magic links, passkeys, DPoP, two-factor, OAuth, and more. Administrators can modify system behavior without redeployment through the admin dashboard with automatic secret masking. Each setting can be gated by a license feature flag.

Signing Key Management

JWT signing keys support 12 algorithms across four families — HMAC (HS256), RSA PKCS#1 (RS256/RS384/RS512 in 2048-bit and 4096-bit), RSA-PSS (PS256/PS384/PS512), and ECDSA (ES256/ES384/ES512) — with three deployment modes: database-stored keys with admin API management, wizard-driven algorithm selection, and rotation; Azure Key Vault integration for enterprise environments; or legacy symmetric keys from configuration. Key rotation generates a new active key while retaining the old key for validation of existing tokens.

Security

Security is built into every layer of the platform:

  • 106 fine-grained permissions with role-based access control and claims transformation across system and tenant scopes.
  • Industry-standard security headers (HSTS, content security, frame protection) and configurable rate limiting on authentication endpoints.
  • Soft delete with automatic query filtering and full audit trails on all entities.
  • Phone verification with messaging consent tracking for TCPA/GDPR compliance.
  • Tenant-level password expiration policies enforced across all authentication flows with automatic notifications.
  • API key authentication with hash-based storage for partner integrations.
  • DPoP proof-of-possession token binding for sender-constrained access tokens (configurable per client or globally).
  • Refresh token replay detection with automatic family revocation to prevent token reuse attacks.

Webhooks

The webhook system publishes 65 event types covering user, tenant, role, address, phone number, email address, webhook subscription, OAuth client, OAuth scope, OAuth claim, multi-channel auth, API key, consent, and authentication lifecycle events. Payloads are signed with HMAC-SHA256 and delivered with exponential backoff retries. Delivery attempts are tracked for full observability.

Technology

Backend — .NET 10 / ASP.NET Core
Frontend — Next.js 16 / React 19
Database — SQL Server / EF Core
Architecture — CQRS / MediatR
Auth — JWT (12 algorithms: HMAC/RSA/RSA-PSS/ECDSA)
Passkeys — Fido2.AspNet (FIDO2)
SMS — Azure Communication Services
WhatsApp — Twilio
Styling — Tailwind CSS 4
Logging — Serilog