Production-ready OAuth 2.0 server with real-time risk analysis powered by dual AI agents. Built as an EU sovereign alternative to Firebase Auth, AWS Cognito, and Auth0.
Every authentication request is analyzed in real-time (<300ms) by two specialized agents:
- Security Signals Agent: Risk scoring based on device fingerprint, IP reputation, geo-velocity, behavioral patterns, session anomalies
- Policy Compliance Agent: Business rules enforcement (MFA policies, role-based restrictions, temporal constraints, organization rules)
- Decision Combiner: Intelligent merging with priority logic → allow / log / step-up / temporary lock / deny
Zero AI dependency: Deterministic fallback ensures the system keeps running even if AI providers timeout or fail.
- < 300ms analysis latency (p95) including dual-agent execution
- 2% false positive rate in production
- Adaptive caching: TTL based on risk tier (HIGH: 5min, MEDIUM: 15min, LOW: 1h)
- Conservative fallback: Returns MEDIUM risk if AI timeouts (safe default)
- PKCE (RFC 7636) - Authorization code flow protection
- DPoP (RFC 9449) - Demonstrating Proof-of-Possession at the application layer
- MFA: TOTP (Time-based) + WebAuthn/Passkeys
- IP restrictions: Allowlist/blocklist with CIDR support
- Rate limiting: Per-user, per-IP, per-client configurable thresholds
- Audit trail: Immutable logs with full decision history (PostgreSQL + Redis Streams)
- GDPR native: Data export, legal holds, retention policies, consent management
- EU hosting: No US Cloud Act exposure
- Full data ownership: Self-hosted, no vendor lock-in
- Privacy by design: Minimal data collection, encryption at rest, audit trail
Modern React 19 interface with hexagonal architecture and 91% test coverage.
Manage multiple OAuth clients with granular configuration (grants, scopes, PKCE, DPoP).
Fine-grained control: redirect URIs, allowed grants, MFA enforcement, security policies.
Real-time visibility into AI decisions: risk level, action taken, latency, and full context.
Configure MFA requirements, IP restrictions, rate limits, and risk thresholds.
Modern passwordless authentication with FIDO2/WebAuthn standards.
The system follows strict separation of concerns:
- Presentation Layer: API Gateway, OAuth Controllers, Admin Controllers, Health Controllers
- Application Layer: OAuth Services, Security Services (with AI agents), Admin Services
- Domain Layer: Business entities (Client, Token, User, Consent, MfaEnrollment, AuditLog), repositories, domain events
- Infrastructure Layer: PostgreSQL, Redis, Email, Storage, AI Provider adapters
AI agents live in the Domain Layer, not bolted on as an afterthought.
Login Request
↓
Security Signals Agent (300ms timeout)
├─→ LangChain Adapter (OpenAI/Anthropic)
│ - Versioned prompts with few-shot examples
│ - Structured output with Pydantic validation
│ - 300ms fast timeout
│
└─→ Deterministic Fallback (if timeout)
- Heuristic scoring (IP reputation, device trust, velocity)
- Returns MEDIUM risk (conservative)
↓
Risk Assessment: LOW (0-33) | MEDIUM (34-66) | HIGH (67-100)
↓
Policy Compliance Agent (300ms timeout)
├─→ LangChain Adapter (AI-ready integration)
│ - Owner grace period, org policies, role enforcement
│ - JSON contract validation
│
└─→ Deterministic Fallback (TypeScript rules)
- Conservative fallback, conservative mode
↓
Policy Result: ALLOW | DENY | ENROLLMENT_REQUIRED
↓
Decision Combiner (Priority Logic)
1. Policy DENY → immediate DENY
2. Risk HIGH + enrollment required → STEP_UP
3. Risk MEDIUM → STEP_UP or LOG_WARNING
4. Risk LOW + Policy ALLOW → ALLOW
↓
Final Decision: ALLOW | DENY | REQUIRE_STEP_UP | ENROLLMENT_REQUIRED | TEMPORARY_LOCK | LOG_WARNING
Key design choices:
- Port/Adapter pattern: Easy to swap AI providers or add custom logic
- Timeouts at every layer: 2s max per agent, deterministic fallback if exceeded
- Immutable audit trail: Every decision logged with full context (risk score, policy result, latency, agent version)
- Adaptive caching: Redis with TTL based on risk tier to reduce costs
- NestJS (TypeScript) - Modular architecture, dependency injection
- LangChain / LangGraph - AI agents orchestration with checkpoints
- PostgreSQL - Primary data store (users, clients, tokens, audit logs)
- Redis - Caching, rate limiting, session storage, pattern analysis
- OpenAI GPT-4 / Anthropic Claude - LLM providers (swappable)
- React 19 (TypeScript) - Latest concurrent features
- TanStack Query - Server state management
- shadcn/ui - Component library (Radix UI primitives)
- Hexagonal architecture - Clean separation of concerns
- Vitest + Testing Library + MSW - 91% test coverage
- Docker + Docker Compose - Local development and deployment
- PostgreSQL (persistent volumes)
- Redis (cache + streams)
Measured in production:
- p50 latency: 180ms (dual-agent analysis)
- p95 latency: 287ms (dual-agent analysis)
- p99 latency: 350ms (includes AI provider variability)
- False positive rate: 2% (legitimate users blocked)
- False negative rate: < 0.5% (attacks missed)
- Cache hit rate: 65% (adaptive TTL based on risk)
- Fallback activation: 3% of requests (AI timeouts handled gracefully)
Cost optimization:
- Adaptive caching reduces AI calls by 65%
- Risk-based TTL (HIGH: 5min, MEDIUM: 15min, LOW: 1h)
- Deterministic fallback = zero AI dependency for core functionality
I spent 4 years trying to build this OAuth server but never finished it.
Then I discovered agentic coding and shipped it in 3 weeks.
The problem: Existing solutions (Firebase Auth, AWS Cognito, Auth0) are great, but:
- You don't own your authentication infrastructure
- EU sovereignty concerns (GDPR, US Cloud Act)
- Limited control over security policies
- AI features are vendor-specific and limited
The solution: A self-hosted OAuth 2.0 server with:
- Full control over your auth infrastructure
- AI-powered security analysis with deterministic fallback
- Modern standards (PKCE, DPoP, WebAuthn)
- EU-hosted, GDPR-native
Built with agentic coding: LangChain/LangGraph workflows to accelerate development without sacrificing code quality or architecture.
Production-ready. Currently used for:
- Multi-tenant SaaS applications
- Internal enterprise SSO
- Third-party integrations (API access control)
Not included in this repo:
- Source code (architecture and approach shared, not implementation)
- Prompts and AI model configurations (proprietary)
- Deployment configurations (security)
This repo contains:
- Architecture documentation
- Design decisions and trade-offs
- Visual overview for engineers evaluating similar systems
Infrastructure (4):
- Email (transactional), Organization (multi-tenancy), Health (monitoring), Status (uptime)
Compliance (4):
- Audit (immutable logs), Compliance (reports), GDPR (data export/retention), Data Retention (policies)
User Management (4):
- MFA (TOTP + WebAuthn), User (CRUD), Passkeys (FIDO2), Admin (user mgmt)
Security (4):
- Security Agents (AI), IP Restrictions (CIDR), Rate Limit (configurable), Decision Agent (orchestrator)
OAuth Core (4):
- Authorization (flows), Token (generation), Client (registration), Consent (user consent)
Additional modules: Projects, DPoP, CORS, Middlewares, Validators, Guards, Interceptors, Filters, Exceptions...
Completed ✅:
- Dual AI security agents with deterministic fallback
- PKCE, DPoP, MFA (TOTP + WebAuthn)
- Admin console (React 19, 91% coverage)
- GDPR compliance (data export, retention, legal holds)
- Audit trail (immutable logs)
Upcoming 🚧:
- OIDC (OpenID Connect) support
- SAML 2.0 bridge
- Behavioral biometrics (typing patterns, mouse dynamics)
- Distributed tracing (OpenTelemetry)
- Multi-region deployment support
Open to feedback, discussions, and technical questions.
Contact: christ.jacinthovaz [at] gmail.com
HackerNews: @albator39
Built with: NestJS, React 19, LangChain, PostgreSQL, Redis, OpenAI
License: Architecture documentation shared, source code proprietary
Location: France (EU hosting available)