Enterprise Security
Demonstrated
Experience the Zero-Trust Edge in action. Select your path to explore policy-driven access controls, instantaneous edge mitigation, and distributed identity.
Interactive Model
Step through the finite state machine visually. See exactly how tokens are verified and policies evaluated at the edge.
Live IDP Discovery
Inspect the live OIDC discovery document — the contract that tells the gateway where to redirect users, which signing keys to trust, and how to validate tokens.
Identity Journey
Watch every user start as a machine. Track the precise moment a machine credential becomes a human session via APISIX + Keycloak.
Federation Flow
Step through OIDC federation end-to-end. See how Keycloak brokers identity from external sources.
Identity Bridge
Address enterprise pushback. See how 'Silent Auth' and 'RelayState' solve existing system migration with zero friction.
Gateway Pattern: Live APISIX Demo
Log in as any user tier and fire real requests through Apache APISIX. Watch real JWKS-verified JWT validation and user-context header injection happen live — the full open-source path: APISIX + Keycloak + OPA + Enterprise IDP federation.
Sidecar Pattern: OPA Next to the Workload
Same JWT verification at the gateway — but the authorization decision moves off the gateway entirely. Each service gets its own co-located OPA sidecar, reachable only at localhost. Compare directly with the gateway pattern above.
BFF Pattern: Opaque Sessions & Instant Revocation
The token never touches the browser — it holds only an opaque session id. Log in, call an endpoint, log out, then call again and watch it 401 on the very next request. No waiting for a JWT to expire.
Try to Break It
A forged JWT, a tier-escalation attempt, a request with no credentials, a replayed session after logout — four real attacks fired at the live stack, each annotated with which layer caught it: the gateway's signature check, OPA's policy, or the BFF's session store.
Step-Up Auth Lab
Test adaptive Zero-Trust edge authentication natively. Intentionally trigger OPA denied API requests to fire OIDC ACR step-up flows.
- basic.user / password123
- premium.user / password123
Step-Up Flow Analytics
Interactive visualization of Level of Assurance (LOA) step-up. See how the App, Gateway, and IDP interact to challenge a user's session natively.
Feature Lab
Ditch expensive SaaS vendors. Leverage OPA to drive cohort-based feature flags at the edge with zero per-user costs and single-digit millisecond latency.
The "Aha" Moment
Reduce duplicated auth logic across every service, eliminate security drift between teams, and change a policy without touching a single line of application code.
Spaghetti Auth Logic
- Every microservice implements its own JWT verification routines.
- Business logic is tightly coupled with hardcoded RBAC permissions.
- Updating a security policy requires redeploying the entire application.
Federated Bridge
- New gateway intercepts traffic while your existing identity system continues operating unchanged.
- SP federation bridges old and new identity systems — swap the IDP when the time is right.
- Backends receive identical headers — zero re-deployment required during migration.
Decoupled Edge Security
- APISIX Gateway intercepts & validates all tokens implicitly.
- Open Policy Agent (OPA) evaluates permissions externally via REGO.
- Applications receive clean, pre-authorized requests. No auth code needed.
Need an Architecture Like This?
I specialize in secure, Zero-Trust cloud environments and decentralized identity architecture. While happily employed full-time, I'm selectively open to consulting, architecture advisory work, and contracts that align with my expertise in edge authorization design.