Identity & Access Management Engine

Role

Senior Backend Engineer

Timeline

2022

Team

5 Engineers

Tech Stack

Node.js, PostgreSQL, Vault, Docker

Overview

Enterprise-grade security and compliance

A centralized authentication service built for healthcare compliance (HIPAA). Supports OAuth2, OpenID Connect, and hardware-based Multi-Factor Authentication (MFA) to secure sensitive patient data.

The Problem

Fragmented identity management

The organization had multiple disconnected user directories, leading to security gaps and a poor user experience. We needed a unified identity provider that could handle complex permission models and strict auditing requirements.

The Solution

Centralized OAuth2 Provider with Vault

We implemented a centralized IdP using Node.js and integrated HashiCorp Vault for dynamic secret management. This ensured that database credentials were rotated automatically and never exposed in code repositories.

The Flow

Authentication & Token flow

Users authenticate via the OAuth Proxy. Upon success, a JWT is issued. All sensitive operations require MFA verification using FIDO2/WebAuthn standards.

graph TD User --> AuthProxy[OAuth Proxy] AuthProxy --> Service[Auth Service] Service --> Vault[(HashiCorp Vault)] Service --> DB[(Encrypted Postgres)] Service --> MFA[FIDO2/MFA Provider]

Auth Flow

erDiagram USERS ||--o{ SESSIONS : "active in" USERS { uuid id PK string email string password_hash boolean mfa_enabled } SESSIONS { string token PK uuid user_id FK timestamp expires_at }

User Schema

Reflection

Security is a continuous process

Implementing hardware MFA was challenging due to browser compatibility issues at the time, but it significantly raised the security bar. We learned that user experience in security products is just as important as the underlying cryptography.

See more work