Home › Architecture › Authentication & Security

Authentication & Security Architecture

Engram uses Azure Entra ID (External ID) with Google Federation for enterprise-grade authentication and security.

Overview

• Identity Provider: Azure Entra ID (CIAM)
• Social Login: Google Federation
• Token Format: JWT (JSON Web Token)
• Validation: Standard JWT validation with dynamic JWKS fetching

Documentation

• Authentication Analysis - Deep dive into authentication flow
• Authentication Architecture Evolution - Evolution of auth approach
• Enterprise Auth Strategy - Production authentication strategy
• Entra External ID - Azure CIAM integration guide

Diagrams

• Authentication Flow Diagram - Complete authentication flow
• Security Context Flow Diagram - SecurityContext flow through systems
• Authentication Flow Images - Visual diagrams

Key Concepts

Authentication Flow

1. User clicks “Continue with Google”
2. Frontend redirects to Azure CIAM
3. Azure CIAM federates to Google
4. Google authenticates user
5. Azure CIAM issues JWT token
6. Backend validates token (dynamic JWKS fetching)
7. SecurityContext created from token claims

SecurityContext

SecurityContext (Layer 1) is created from JWT token:

• user_id from oid claim
• tenant_id from tid claim
• roles from Entra ID groups
• scopes from token scopes
• email, display_name from token claims

See: Security Context Architecture

Enterprise Boundaries

SecurityContext enforces:

• Tenant Isolation: Contoso Corp users cannot access Fabrikam Corp data
• Project Scoping: Users only see projects they have access to
• Role-Based Access: ANALYST can read, ADMIN can modify
• User Attribution: All actions are attributable to a user

Troubleshooting

• Authentication Guide
• Token Validation Fix
• CORS Fix

---

Related: Security Context, Operations