DotID

Purpose

Identity and access management for the FlexGalaxy.AI platform. DotID is the umbrella name for the entire Identity Plane — it encompasses authentication (Keycloak), fine-grained authorization, org structure, cross-account access, and administration. Modeled after AWS IAM and Organizations.

Subsystems

DotID (umbrella)
├── Keycloak ─────────── OIDC provider, user federation, SSO
├── Authorization Service  Fine-grained ABAC/RBAC policy evaluation
├── Org Service ──────── Account hierarchy, organizations, OUs
├── IAM Identity Center ─ Cross-account access, SSO delegation
└── StarGate ─────────── Admin web application

Each subsystem has its own architecture doc:

Keycloak (Core OIDC Provider)

Responsibilities

  • User authentication (login, registration, password reset)

  • OAuth2 / OIDC token issuance (access tokens, refresh tokens, ID tokens)

  • Client registration and management

  • User federation (LDAP, social providers)

  • Multi-factor authentication

  • Session management and SSO

  • Email verification and communication (via AWS SES in production)

Key Entities

Entity

Description

Realm

flexgalaxy — the single realm for all platform users

User

A human or service account with credentials

Client

An OIDC client (SPA, server, device)

Role

Realm-level or client-level access role

Group

Organizational grouping of users

Endpoints

Endpoint

Description

auth.flexgalaxy.com

OIDC issuer (Keycloak)

auth.flexgalaxy.com/auth/realms/flexgalaxy/.well-known/openid-configuration

OIDC discovery

auth.flexgalaxy.com/auth/realms/flexgalaxy/protocol/openid-connect/certs

JWKS endpoint

Authentication Flows

Flow

Use Case

Authorization Code + PKCE

SPAs (AdminCenter, StarGate)

Client Credentials

Service-to-service, device M2M

Direct Grant

Integration testing only

Authorization Service

Responsibilities

  • Evaluate fine-grained access policies (ABAC and RBAC)

  • Provide policy decision points (PDP) for all platform services

  • Manage IAM policies, groups, and permission sets per account

Key Entities

Entity

Description

Policy

A JSON policy document (actions, resources, conditions)

Action Namespace

Grouping of actions by service (e.g., devices:Read)

Permission Set

A named collection of policies

IAM Group

Account-scoped group with attached policies

Implementation

Component

Technology

Deployment

OIDC Provider

Keycloak 26

EKS (Kubernetes)

Authorization Service

Java 21 (Spring Boot)

EKS (Kubernetes)

Database (Keycloak)

PostgreSQL 15 (RDS)

AWS RDS

Database (AuthZ)

PostgreSQL 15 (RDS)

AWS RDS

SMTP

AWS SES

email-smtp.ap-northeast-1.amazonaws.com

DNS

Route53

auth.flexgalaxy.com

Consumed By

Every service on the platform. DotID is the universal dependency.