π― Learning Objectives
By the end of today's session, you will be able to:
- Articulate the EmpowerNow platform's mission and core value proposition
- Identify all core services (BFF, IdP, PDP, Membership, CRUD, Workflow) and their responsibilities
- Explain JWT token anatomy, OIDC authentication flows, and PKCE security
- Understand identity federation with external IdPs and ARN-based addressing
- Describe token exchange, OBO flows, and service-to-service authentication
- Understand advanced security features: DPoP, CAEP, WebAuthn, Agent authentication
- Map service dependencies and data flow through Kafka event-driven architecture
- Explain the single-tenant deployment model and data isolation strategies
π Introduction to EmpowerNow
What is EmpowerNow?
EmpowerNow is a comprehensive Identity and Access Management (IAM) platform built on modern microservices architecture. It provides organizations with the tools to manage identities, authenticate users, authorize access, and govern permissions across their entire digital ecosystem.
Why "EmpowerNow"?
The platform empowers organizations to implement fine-grained access control immediately, without waiting for complex integrations. It's designed for rapid deployment while maintaining enterprise-grade security.
Core Platform Principles
π Zero-Trust Security
Never trust, always verify. Every request is authenticated and authorized regardless of origin.
π Pluggable Architecture
Extend functionality through plugins without modifying core services.
π Policy-as-Code
Define access policies in YAML with version control and audit trails.
π Standards-Based
Built on OAuth 2.0, OIDC, AuthZEN 1.1, and other industry standards.
ποΈ Architecture Overview
The EmpowerNow platform follows a layered microservices architecture where each service has a single responsibility. This separation of concerns enables independent scaling, deployment, and development.
π§ Core Services Deep Dive
Let's explore each core service in detail, understanding their responsibilities, technologies, and how they fit into the overall architecture.
1. BFF (Backend-for-Frontend) Gateway
BFF Service
Port 8000 β’ bff.self.empowernow.aiThe BFF is the central gateway and orchestration layer for the Experience App. It provides Plugin Management & Discovery (dynamic plugin loading, enforcement, telemetry), AI Builder & Chat (WebSocket-based AI streaming, LLM proxying), Dynamic Routing (YAML-driven routes with service proxying and token policies), and Background Workers (queue-based plugin builds and async processing).
Why BFF Pattern?
The BFF pattern allows us to optimize API responses for specific client needs, handle authentication in one place, and provide a stable API contract even as backend services evolve. It's the only service exposed publicly.
Key BFF Responsibilities:
- Authentication Proxy: Handles OAuth2 flows with the IdP, managing tokens securely
- Session Management: Stores sessions in Redis with secure cookies
- Dynamic Routing: Routes requests to appropriate backend services
- Plugin Delivery: Serves and manages the Experience Platform plugins
- LLM Proxy: Provides authorized access to AI services (OpenAI, Anthropic)
2. IdP (Identity Provider)
IdP Service
Port 8002 β’ idp.self.empowernow.aiThe IdP is a fully compliant OpenID Connect Provider that handles all authentication concerns. It issues JWTs, manages user identities, supports multiple authentication methods, and provides CAEP for continuous access evaluation.
# OIDC Discovery Endpoint
GET https://idp.self.empowernow.ai/.well-known/openid-configuration
# Key endpoints exposed:
{
"issuer": "https://idp.self.empowernow.ai",
"authorization_endpoint": "/authorize",
"token_endpoint": "/token",
"userinfo_endpoint": "/userinfo",
"introspection_endpoint": "/introspect",
"jwks_uri": "/.well-known/jwks.json"
}
π§ͺ Try It: Fetch OIDC Discovery Document
Copy curl and run in your terminal to fetch the live OIDC configuration from your running IdP service.
IdP Token Types:
- Access Tokens: Short-lived JWTs for API authorization (default: 1 hour)
- Refresh Tokens: Long-lived tokens for obtaining new access tokens
- ID Tokens: User identity information for clients
- PAT (Personal Access Tokens): User-generated tokens for API access
π§ͺ Try It: Get Access Token (Client Credentials)
Service-to-service authentication using client credentials grant. This is how backend services authenticate.
Deep Dive: JWT Token Anatomy
Every JWT (JSON Web Token) issued by the IdP consists of three Base64URL-encoded parts separated by dots:
π΄ Header (Algorithm & Token Type)
Specifies the signing algorithm and token type. Never contains sensitive data.
{
"alg": "RS256", // RSA with SHA-256 signature
"typ": "JWT", // Token type
"kid": "key-2024" // Key ID for signature verification
}
π£ Payload (Claims)
Contains the claims - statements about the user and token metadata.
{
"iss": "https://idp.self.empowernow.ai", // Issuer
"sub": "user_abc123", // Subject (user ID)
"aud": "api://empowernow", // Audience
"exp": 1736779200, // Expiration (Unix timestamp)
"iat": 1736775600, // Issued at
"nbf": 1736775600, // Not valid before
"scope": "openid profile api.read", // Granted scopes
"client_id": "spa-client", // Client that requested token
"tenant_id": "acme-corp" // Multi-tenant identifier
}
π΅ Signature (Verification)
Cryptographic signature ensuring the token hasn't been tampered with.
RSASHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
privateKey
)
// Verified using the public key from: /.well-known/jwks.json
Why RS256?
EmpowerNow uses RS256 (RSA + SHA-256) instead of HS256 because it uses asymmetric cryptography. The IdP signs with a private key, and any service can verify using the public key from JWKS - no shared secrets needed!
OpenID Connect Authentication Flow
Why PKCE?
PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks. Even if an attacker captures the auth code, they can't exchange it without the original code_verifier that only the BFF knows.
Deep Dive: Identity Federation
EmpowerNow supports identity federation - users can authenticate with external Identity Providers (Azure AD, Okta, Google) and access EmpowerNow without creating a local account.
ARN (Authentication Resource Names)
Every identity in EmpowerNow has a unique ARN - a standardized identifier format:
auth:{entity_type}:{provider}:{subject}
# Examples:
auth:account:empowernow:alice # Local user
auth:account:okta:00u123abc # Okta federated user
auth:account:entra.tenant1:bob@corp.com # Azure AD user
auth:identity:google:12345 # Google identity
auth:agent:acme-corp:invoice-bot # AI Agent
No Local Account Required!
Federated users can access the system WITHOUT any entry in the local users table. The only requirement is that PDP policies exist to authorize access for their ARN pattern.
Deep Dive: Token Exchange & On-Behalf-Of (OBO)
When Service A needs to call Service B on behalf of a user, it uses RFC 8693 Token Exchange. This is critical for maintaining the security chain in microservices.
Token Exchange Grant Types:
| Grant Type | Use Case | Actor Claim |
|---|---|---|
urn:ietf:params:oauth:grant-type:token-exchange |
Service-to-service with user context | "act": {"sub": "service-a"} |
client_credentials |
Service-to-service without user | No actor, service is subject |
delegation |
User delegates to another user/agent | "act": {"sub": "delegate-arn"} |
Advanced IdP Security Features
π DPoP (Demonstrating Proof of Possession)
Binds tokens to a specific client by requiring a cryptographic proof. Even if a token is stolen, it can't be used without the client's private key.
π‘ CAEP (Continuous Access Evaluation)
Real-time session revocation. When a user's status changes (fired, compromised), all their active sessions are immediately invalidated.
π WebAuthn / Passkeys
Passwordless authentication using biometrics or hardware keys. More secure than passwords and resistant to phishing.
π€ Agent Authentication (A2A)
AI agents register as OAuth clients with capability-scoped permissions. Agents can act on behalf of users with explicit delegation.
3. PDP (Policy Decision Point)
PDP Service
Port 8001 β’ pdp.self.empowernow.aiThe PDP evaluates authorization requests against policies using the AuthZEN 1.1 specification. It provides fine-grained access control with support for ABAC, RBAC, and relationship-based access control patterns.
Policy Hierarchy (5 Levels):
- Global: Platform-wide defaults
- Tenant: Organization-specific policies
- Application: App-scoped rules
- Resource Type: Entity-level permissions
- Resource Instance: Individual resource access
Deep Dive: Policy Information Points (PIPs)
PIPs fetch additional context data that policies need but isn't in the request. They extend the PDP's decision-making capabilities.
| PIP Type | Data Source | Example Use Case |
|---|---|---|
| Membership PIP | Neo4j Graph | Fetch user's roles, group memberships, manager chain |
| Resource PIP | CRUD Service | Get resource owner, classification, sensitivity level |
| Time PIP | System Clock | Check if within business hours, maintenance window |
| Risk PIP | External Service | Get user's risk score, device trust level |
POST /access/v1/evaluation
Content-Type: application/json
{
"subject": {
"type": "user",
"id": "user_123",
"properties": {
"department": "engineering"
}
},
"action": {
"name": "read"
},
"resource": {
"type": "document",
"id": "doc_456"
},
"context": {
"ip_address": "10.0.0.1",
"time": "2026-01-13T10:00:00Z"
}
}
π§ͺ Try It: Authorization Evaluation
Test a real authorization decision. Can user "alice" read a document? The PDP will evaluate policies and return PERMIT or DENY.
4. Membership Service
Membership Service
Port 8003 β’ membership.self.empowernow.aiManages organizational structure, role hierarchies, and user-role assignments using a graph database. It supports complex relationship models, vector search capabilities, and hierarchical role inheritance.
5. IdP UI (Identity Provider Interface)
IdP UI
Port 80 β’ authn.self.empowernow.aiReact-based administrative interface for managing the Identity Provider. Provides user management, client configuration, OIDC testing tools, and real-time monitoring dashboards.
6. CRUD Service (Data Operations)
CRUD Service
Port 8005 β’ crud.self.empowernow.aiGeneric data operations service providing Create, Read, Update, Delete operations for all entities. Handles schema validation, tenant isolation, and emits events for all data changes.
CRUD Service Responsibilities:
- Entity Management: Generic CRUD operations for users, roles, applications, resources
- Schema Enforcement: Validates data against JSON schemas before persistence
- Audit Trail: Every operation is logged with who, what, when, and from where
- Event Publishing: Emits Kafka events for all mutations (created, updated, deleted)
# Create a new application
POST /api/v1/applications
Content-Type: application/json
Authorization: Bearer {token}
{
"name": "Finance Dashboard",
"description": "Executive financial reporting",
"owner_arn": "auth:account:empowernow:alice",
"classification": "confidential"
}
# Response includes tenant-scoped ID
{
"id": "app_7k2m9n4p",
"tenant_id": "acme-corp",
"created_at": "2026-01-13T10:00:00Z",
...
}
ποΈ Infrastructure Services
These services form the backbone of the platform, handling networking, messaging, and secrets:
Traefik
Ports 80, 443Cloud-native reverse proxy and load balancer. Handles TLS termination, routing, and automatic service discovery via Docker labels.
Kafka
Port 9092Distributed event streaming platform. Enables async communication between services, event sourcing, and real-time data pipelines.
OpenBao (Vault)
Port 8200Secrets management and encryption service. Stores API keys, database credentials, and signing keys with automatic rotation.
π Advanced Services
These services provide advanced capabilities for workflow automation and AI orchestration:
Workflow / Automate
automate.self.empowernow.aiVisual workflow designer for building approval chains, provisioning flows, and automated business processes. Drag-and-drop interface with conditional logic.
Agent Studio
agentstudio.self.empowernow.aiVisual designer for creating and configuring AI agents. Define agent capabilities, tool access, and delegation relationships.
AI-First Platform
EmpowerNow is designed as an AI-first platform. Agents are first-class citizens with their own identities (ARNs), authentication mechanisms, and fine-grained permissions. Agent Studio enables organizations to safely deploy AI agents that can act on behalf of users.
Service Dependencies Map
π‘οΈ Zero-Trust Security Model
EmpowerNow implements a comprehensive zero-trust architecture where every request is treated as potentially hostile until verified. This model is fundamental to how all services interact.
Request Authentication Flow
Request Arrives at BFF
All external requests enter through the BFF gateway. The BFF checks for valid session cookies or Bearer tokens.
Token Validation with IdP
The BFF sends the token to IdP for validation via introspection. IdP verifies signature, expiration, and revocation status.
Authorization Check with PDP
For protected resources, BFF sends an evaluation request to PDP with subject, action, and resource context.
PDP Policy Evaluation
PDP evaluates policies, potentially fetching additional attributes from PIPs (Membership, custom sources).
Decision Returned
PDP returns PERMIT, DENY, or INDETERMINATE with optional obligations and advice for the calling service.
Request Fulfilled or Rejected
Based on the decision, BFF either proxies the request to the target service or returns a 403 Forbidden response.
Important: Internal Service Communication
Even internal service-to-service communication uses token-based authentication. Services use the On-Behalf-Of (OBO) flow or client credentials for inter-service calls, never bypassing security checks.
Preview: ARIA Shield Seven Controls
EmpowerNow's security is governed by the ARIA Shield framework with seven controls: Authentication, Authorization, Attestation, Audit, Anomaly Detection, Accountability, and Archive. Every sensitive operation generates a tamper-evident receipt with hash chains for integrity. You'll explore this in depth in Week 5, Day 25.
πΎ Data Layer
EmpowerNow uses a polyglot persistence strategy, choosing the right database for each use case:
PostgreSQL
Port 5432Primary relational database for structured data. Stores user accounts, client configurations, audit logs, and transactional data. Uses schema-per-tenant isolation.
Redis
Port 6379High-performance caching and session storage. Handles session data, policy cache, rate limiting counters, and real-time pub/sub for notifications.
Neo4j
Port 7687Graph database for relationship-heavy data. Powers the Membership service's role hierarchies, organizational structures, and complex permission queries.
π Plugin Architecture
EmpowerNow uses a micro-frontend architecture where the Experience platform hosts dynamically loaded plugins. Each plugin is a self-contained React application with its own routes, state, and API calls.
Plugin Types in EmpowerNow:
IT Shop
Request & Provision AccessSelf-service portal for requesting application access, roles, and entitlements with approval workflows.
My Identity
Profile ManagementView and manage personal profile, delegations, and access certifications.
Access Reviews
Certification CampaignsPeriodic access certification for compliance and governance requirements.
{
"name": "@empowernow/it-shop",
"version": "1.2.0",
"type": "experience-plugin",
"entry": "dist/index.esm.js",
"routes": [
{ "path": "/shop", "component": "ShopPage" },
{ "path": "/shop/cart", "component": "CartPage" },
{ "path": "/shop/requests", "component": "RequestsPage" }
],
"permissions": ["itshop.view", "itshop.request"],
"navigation": {
"label": "IT Shop",
"icon": "ShoppingCart",
"order": 1
}
}
π’ Deployment Architecture
EmpowerNow uses a single-tenant deployment model - each customer receives their own complete, isolated stack deployed either on-premises or in the cloud. This provides maximum security, customization flexibility, and data sovereignty.
Why Single-Tenant Deployment?
| Benefit | Description |
|---|---|
| π Complete Isolation | Each customer's data is physically separated - no shared databases, no shared infrastructure, zero risk of cross-customer data leakage. |
| π Data Sovereignty | Customers choose where their data resides: on-premises data centers, specific cloud regions, or air-gapped environments. |
| βοΈ Customization | Each deployment can be configured, scaled, and upgraded independently based on customer needs. |
| π‘οΈ Security Compliance | Easier compliance with regulations (GDPR, HIPAA, SOC2) when infrastructure is dedicated per customer. |
| π Performance | No "noisy neighbor" issues - each customer gets dedicated resources without contention. |
Deployment Options:
On-Premises
Deploy in customer's own data center with Docker Compose or Kubernetes. Full control over infrastructure, networking, and security policies.
Cloud (AWS/Azure/GCP)
Managed cloud deployment in customer's cloud account. Uses cloud-native services (RDS, managed Redis) with Kubernetes orchestration.
Air-Gapped
Fully isolated deployment with no internet connectivity. Ideal for government, defense, and high-security environments.
Deployment Flexibility
The same Docker images and configurations work across all deployment models. ServiceConfigs contains environment-specific overrides for each deployment scenario.
π Service Domains
Each service has a dedicated domain for external access and internal Docker networking:
# Add to your hosts file (Windows: C:\Windows\System32\drivers\etc\hosts; macOS/Linux: /etc/hosts)
127.0.0.1 bff.self.empowernow.ai # BFF Gateway
127.0.0.1 idp.self.empowernow.ai # Identity Provider
127.0.0.1 pdp.self.empowernow.ai # Policy Decision Point
127.0.0.1 membership.self.empowernow.ai # Membership Service
127.0.0.1 authn.self.empowernow.ai # IdP UI
π Complete Request Lifecycle
Let's trace a complete request through the entire system to see how all components work together. This example shows a user accessing a protected document.
action: read
resource: document/456 P->>M: GET /api/users/alice/roles M-->>P: ["editor", "reviewer"] P->>P: Load policies (GlobalβTenantβAppβTypeβInstance) P->>P: Evaluate: editor CAN read documents P-->>B: {decision: "PERMIT"} Note over U,D: Phase 4: Resource Retrieval B->>C: GET /api/documents/456 (Authorization: Bearer token) C->>C: Extract tenant_id from token C->>D: SELECT * FROM acme.documents WHERE id=456 D-->>C: {id: 456, title: "Q4 Report", ...} C-->>B: 200 OK + document data Note over U,D: Phase 5: Response to User B-->>U: 200 OK + document JSON
What Happens If Authorization Fails?
Timeline of a Typical Request
0ms - Request Arrives
BFF receives HTTP request, extracts session cookie
1-2ms - Session Lookup
Redis returns cached session with tokens (sub-millisecond with local Redis)
3-5ms - Token Introspection
IdP validates token signature and claims (cached JWKS, no DB hit)
5-15ms - Authorization Decision
PDP evaluates policies, potentially calling Membership PIP for roles
15-50ms - Resource Retrieval
Backend service queries database with tenant isolation
50-100ms - Total Response
Full end-to-end latency including network overhead
Performance Optimization
EmpowerNow uses aggressive caching: JWKS cached for hours, PDP policies cached in Redis, session data kept in Redis. Most requests complete authorization in under 10ms after initial warm-up.
π Knowledge Check
Which service is responsible for evaluating authorization decisions?
Which database is used for storing role hierarchies and organizational relationships?
π οΈ Hands-on Exercises
Exercise 1: Decode a JWT Token
Use the sample JWT below to understand token structure. You can decode it at jwt.io:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleS0yMDI0In0.eyJpc3MiOiJodHRwczovL2lkcC5vY2cubGFicy5lbXBvd2Vybm93LmFpIiwic3ViIjoidXNlcl9hYmMxMjMiLCJhdWQiOiJhcGk6Ly9lbXBvd2Vybm93IiwiZXhwIjoxNzM2Nzc5MjAwLCJpYXQiOjE3MzY3NzU2MDAsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgYXBpLnJlYWQiLCJjbGllbnRfaWQiOiJzcGEtY2xpZW50IiwidGVuYW50X2lkIjoiYWNtZS1jb3JwIn0.signature_here
Questions to answer:
- What algorithm is used for signing? (Check the header)
- What is the token's audience (
aud)? - What scopes were granted?
- How long is this token valid for? (Calculate from
iatandexp)
Exercise 2: Complete the Service Responsibility Matrix
Fill in the missing cells in this matrix based on what you learned:
| Service | Primary Question It Answers | Primary Database | Key Endpoints |
|---|---|---|---|
| BFF | "How do I access the platform?" | Redis (sessions) | /auth/login, /api/* |
| IdP | "Who is this user?" | PostgreSQL | /token, /authorize, /userinfo |
| PDP | ??? (Fill this in) | ??? (Fill this in) | /access/v1/evaluation |
| Membership | ??? (Fill this in) | Neo4j | /api/roles, /api/members |
Exercise 3: Trace a Request Through the System
Given this scenario, identify which services are involved and in what order:
Scenario
Alice (a manager) wants to approve Bob's access request to the Finance Reports dashboard. She clicks "Approve" in the IT Shop plugin.
Trace the flow:
- Which service receives the initial HTTP request?
- How does the system verify Alice is logged in?
- How does the system check if Alice CAN approve requests?
- What information does PDP need about Alice to make this decision?
- Where does PDP get Alice's "manager" role from?
Exercise 4: Knowledge Application Quiz
Test your understanding with these scenario-based questions:
π Day 1 Summary
Excellent Progress!
You've completed a comprehensive overview of the EmpowerNow platform. You now understand the architecture from user request to database response, including authentication flows, authorization decisions, and the single-tenant deployment model.
Key Takeaways:
- BFF Gateway - Single entry point handling auth flows, session management, and API proxying
- IdP (Identity Provider) - OIDC-compliant authentication, issues JWTs with RS256 signatures
- PDP (Policy Decision Point) - AuthZEN 1.1 authorization with 5-level policy hierarchy
- Membership Service - Graph-based role and relationship management in Neo4j
- CRUD Service - Generic data operations with tenant isolation and event emission
- JWT Anatomy - Three parts: Header (algorithm), Payload (claims), Signature (verification)
- PKCE Flow - Secure OAuth2 authorization code exchange preventing interception attacks
- Federation & ARNs - External IdP integration with universal identity addressing
- Token Exchange (RFC 8693) - Service-to-service authentication with user context
- OBO (On-Behalf-Of) - Acting as another user while maintaining audit trail
- DPoP & CAEP - Token binding and continuous access evaluation for advanced security
- Infrastructure - Traefik (routing), Kafka (events), OpenBao (secrets)
- Workflow - Business process automation and approval chains
- PIPs - Policy Information Points fetch external data for authorization decisions
- Plugin Architecture - Micro-frontends loaded dynamically into Experience shell
- Multi-Tenancy - Schema-per-tenant (Postgres), label isolation (Neo4j), key prefix (Redis)
- Zero-Trust - Every request authenticated and authorized, including internal service calls
Concepts You Can Now Explain:
π Authentication vs Authorization
IdP answers "who are you?" while PDP answers "what can you do?"
π Token-Based Security
JWTs carry claims, signed cryptographically, verified without calling IdP every time
π Polyglot Persistence
Right database for right job: Postgres for transactions, Neo4j for graphs, Redis for cache
Prepare for Tomorrow:
Tomorrow you'll set up your development environment. Make sure you have:
- Docker Desktop installed and running
- Git configured with SSH keys
- Access to the EmpowerNow Azure DevOps repositories
- VS Code or Cursor IDE ready