Identity Broker Overview
The Gold Standard for Enterprise Authentication. Implements the Backend-For-Frontend (BFF) pattern to secure SPAs by keeping tokens out of the browser.
Why Identity Broker?
Modern security standards (OWASP 2026) discourage storing access tokens in the browser (LocalStorage/SessionStorage) due to XSS risks. The Identity Broker handles all token exchanges on the server and issues a secure, encrypted, partitioned cookie to the frontend.
| Feature | Client-Side Auth (Standard) | Identity Broker (BFF) |
|---|---|---|
| Token Storage | LocalStorage (Vulnerable to XSS) | HttpOnly Cookie (Secure) |
| Encryption | None (JWT visible) | AES-256 Encrypted Cookie |
| CSRF | Rely on Samesite | Double-Submit Cookie Pattern |
| Privacy | 3rd Party Cookies (Blocked by Safari) | First-Party Context |
Decision guide
- Identity Validator: Use this if your APIs already receive JWTs and only need token validation.
- Identity Broker: Use this if you need a complete login experience for a browser app and want secure cookie sessions.
- Both: Use Broker for the SPA and Validator for downstream APIs.
See: Identity Validator Overview
Supported Providers
The broker supports seamless integration with major enterprise identity providers.
Azure AD / Entra ID
Multi-tenant SaaS support with Admin Consent flow.
Okta
Workforce identity with PAR (Pushed Auth) support.
Auth0
B2B SaaS isolation with Organizations.
Business login with Hosted Domain restrictions.
Key Capabilities
Zero-Knowledge Frontend
The frontend application never sees the Access Token. It only holds a session cookie. This renders XSS attacks ineffective for token theft.
Just-In-Time (JIT) Provisioning
Automatically provision users in your local database when they log in via a trusted provider (like a corporate Azure AD).
Advanced Security
- AES-256 Encryption: Upstream tokens are encrypted at rest.
- Partitioned Cookies (CHIPS): Future-proofs your app against browser privacy sandboxes.
- Strict CSRF: Validates custom headers against a secure cookie.
Roadmap
The following features are planned for upcoming releases:
- Sign up / invite flows
- Email verification
- Forgot / reset password and change password
- MFA / passkeys
- Session list and revoke (log out other devices)
- Account linking and organization/tenant management
Next Steps
Technical Specifications
| Feature | Default Value | Description |
|---|---|---|
| Session Lifetime | 60 Minutes | Defined by Jwt:ExpiryInMinutes. |
| Sliding Expiration | Enabled | Session resets on every active request. |
| Cookie Name | Primus.Session | Prefixed with __Host- in non-development environments. |
| CSRF Header | X-Primus-CSRF | Required on POST/PUT/DELETE. Prevents Cross-Site Request Forgery. |
| Account Lockout | 5 Attempts | Accounts lock after 5 failed tries. |
| Encryption | AES-256 | Military-grade encryption for upstream tokens. |