Second Brain

R-Dash Auth Amendment — Local Auth v1 (Azure AD SSO Deferred)

2 min read

R-Dash Auth Amendment — Local Auth v1 (Azure AD SSO Deferred)

Decision

Supersedes the auth section of “R-Dash Architecture Freeze (Checkpoint 2)”. v1 ships with LOCAL authentication only: email + password (argon2id hashing), mandatory TOTP MFA via pyotp with recovery codes, JWT sessions (15min access + 7d refresh) in HttpOnly+Secure+SameSite=Lax cookies, rate-limiting via slowapi (5 login/min/IP, 10/hr/user), 10-fail→15min lockout, zxcvbn password-strength ≥3 + min 12 chars, admin-provisioned users only (no public signup), password-reset via signed-token email link (1hr expiry) through Runwal SMTP. Break-glass is a platform-admin local account with strong password + MFA + offline recovery codes. Migration path when Runwal’s Azure AD integration work completes: dual-mode local + SSO → per-user email-match SSO migration → deprecate local auth entirely. No code written against Azure AD in v1 — stub interfaces only, wired later.

Rationale

User directive 2026-04-17: “Keep it local authorization only. Once the AD-related work is done, I will let you know, and then we will wire AD-based single sign-on. Right now, it’s not there.” Runwal’s Azure AD integration work is external to R-Dash’s critical path and not yet complete — building R-Dash to depend on AAD before AAD is ready would block the 6-month v1 timeline. Local auth done right (argon2id, mandatory MFA, rate-limited, lockout, admin-provisioned, audit-logged) meets Law 11 security-by-default for an internal platform with 50 pilot users. Future SSO migration is clean because auth is boundary-isolated (single module M1); no domain code couples to the auth mechanism.

Alternatives Rejected

Keep Azure AD OIDC as v1 primary (original Checkpoint 2 decision) — rejected: Runwal AD integration work not yet done; blocking v1 on external dependency violates timeline and creates ambiguity.

Local auth with bcrypt instead of argon2id — rejected: NIST/OWASP 2024-2025 guidance favors argon2id for new systems; bcrypt acceptable but inferior memory-hardness.

Skip MFA in v1 — rejected: internal platform handling Sales/Finance/salary data; MFA is table-stakes per Law 11; TOTP is free and OSS.

Allow public signup — rejected: internal platform; admin-provisioned is the correct posture and makes RBAC audit clean.

Magic link (passwordless) v1 — rejected: adds email-delivery dependency as a login critical-path; password+MFA is more reliable for enterprise users.

Dual-mode (local + SSO) from day 1 — rejected: SSO code is dormant complexity until AAD is ready; build local first, wire SSO cleanly later.

Outcome

Pending

  • r-dash-architecture-freeze-checkpoint-2
  • Azure AD
  • r-dash-azure-ad-deferred-local-auth-v1-stack
  • r-same-azure-ad-sso-deferred-local-auth-v1
  • r-same-local-auth-v1-azure-ad-deferred
  • azure-ad-sso-deferred-local-auth-migration-path
  • argon2id-owasp-2024-config-and-password-policy
  • azure-ad-sso-deferred-local-auth-v1-stub-interfaces
  • argon2id-owasp-2024-params-time3-mem64mb-par4
  • r-same-local-auth-v1-azure-ad-sso-deferred
  • r-same-azure-ad-sso-deferred-v1-local-auth-only
  • azure-ad-sso-deferred-v1-uses-local-auth
  • azure-ad-sso-deferred-local-auth-v1-because-runwal-ad-incomp
  • azure-ad-sso-deferred-local-auth-is-v1

Graph View

Backlinks