Overview
The auth flow diagram shows BitzOrcas.Modern’s security pipeline. After a request arrives, it passes through three authentication schemes (JWT Bearer for users, HMAC for service-to-service calls, ApiKey for external integrations), then enters the unified authorization decision service.
The authorization service contains four evaluators: RbacPolicyEvaluator, AppScopePolicyEvaluator, AbacPolicyEvaluator, and ReBacPolicyEvaluator, using a default-deny strategy.
Key takeaways
- JWT Bearer — user authentication, Claims extraction for identity and tenant
- HMAC — service-to-service authentication with anti-replay (nonce + time window)
- ApiKey — external system integration with scope restrictions
- Evaluators execute by priority; any evaluator denying results in an overall denial
- X-Correlation-ID is assigned during authentication and propagated through the entire request chain
Related
- Authentication — three-scheme detailed configuration
- Authorization — four-evaluator strategy deep dive
- Security overview — complete security documentation