Lux Financial
Identity (IAM)

Lux IAM

Enterprise identity and access management — OAuth2, OIDC, SAML, WebAuthn, multi-org, and role-based access control.

Lux IAM

Lux IAM is the identity and access management layer for the Lux Financial platform. It provides OAuth2/OIDC authentication, multi-organization support, and fine-grained role-based access control for all platform services.

Architecture

┌──────────────────────────────────────────────────┐
│                   Lux IAM                         │
│  ┌────────────┬────────────┬────────────────┐    │
│  │   OAuth2   │   OIDC     │     SAML       │    │
│  │   Server   │  Provider  │   Federation   │    │
│  └─────┬──────┴─────┬──────┴───────┬────────┘    │
│        │            │              │             │
│  ┌─────▼──────┬─────▼──────┬───────▼────────┐    │
│  │   Users    │   Orgs     │    Roles       │    │
│  │   Groups   │   Apps     │    Permissions  │    │
│  └────────────┴────────────┴────────────────┘    │
└──────────────────────────────────────────────────┘

Features

Authentication Protocols

ProtocolUse Case
OAuth 2.0API authorization, third-party app access
OIDCSingle sign-on, identity federation
SAML 2.0Enterprise SSO (Okta, Azure AD, OneLogin)
CASLegacy SSO integration
LDAPDirectory service integration

Multi-Organization

Lux IAM supports multiple organizations under a single deployment, each with isolated users, apps, and permissions.

DomainOrganization
lux.idLux Network
hanzo.idHanzo AI
pars.idPars
id.zoo.networkZoo Labs

Multi-Factor Authentication

MethodDescription
TOTPTime-based one-time passwords (Google Authenticator, Authy)
WebAuthnFIDO2 hardware keys and biometrics (Touch ID, Face ID)
SMSSMS-based verification codes
EmailEmail-based verification codes

Quick Start

SDK Integration

import { LuxIAM } from '@luxfi/iam';

const iam = new LuxIAM({
  domain: 'auth.yourbank.com',
  clientId: process.env.IAM_CLIENT_ID,
  clientSecret: process.env.IAM_CLIENT_SECRET,
});

OAuth2 Authorization Code Flow

// 1. Redirect user to authorization endpoint
const authUrl = iam.getAuthorizationUrl({
  redirectUri: 'https://yourbank.com/callback',
  scope: 'openid profile email',
  state: generateCSRFToken(),
});

// 2. Exchange code for tokens
const tokens = await iam.exchangeCode({
  code: req.query.code,
  redirectUri: 'https://yourbank.com/callback',
});

// 3. Get user info
const user = await iam.getUserInfo(tokens.accessToken);

Role-Based Access Control

// Define roles
await iam.roles.create({
  name: 'treasury_manager',
  permissions: [
    'accounts:read',
    'accounts:write',
    'payments:create',
    'payments:approve',
  ],
  limits: {
    'payments:create': { maxAmount: 1000000 },
  },
});

// Assign role
await iam.users.assignRole({
  userId: 'user_123',
  roleId: 'treasury_manager',
});

// Check permission
const canApprove = await iam.authorize({
  userId: 'user_123',
  action: 'payments:approve',
  resource: 'payment_456',
});

Enterprise SSO

SAML Integration

await iam.sso.configureSAML({
  provider: 'okta',
  entityId: 'https://yourbank.okta.com',
  ssoUrl: 'https://yourbank.okta.com/app/xxx/sso/saml',
  certificate: process.env.OKTA_CERT,
  attributeMapping: {
    email: 'user.email',
    firstName: 'user.firstName',
    lastName: 'user.lastName',
    groups: 'user.groups',
  },
});

OIDC Federation

await iam.sso.configureOIDC({
  provider: 'azure-ad',
  clientId: process.env.AZURE_CLIENT_ID,
  clientSecret: process.env.AZURE_CLIENT_SECRET,
  discoveryUrl: 'https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration',
});

WebAuthn / FIDO2

Registration

// Begin registration
const options = await iam.webauthn.registerBegin({
  userId: 'user_123',
  deviceName: 'MacBook Touch ID',
});

// Complete registration (after browser credential creation)
await iam.webauthn.registerComplete({
  userId: 'user_123',
  credential: browserCredentialResponse,
});

Transaction Signing

// Require biometric verification for high-value transactions
const challenge = await iam.webauthn.verify({
  userId: 'user_123',
  transactionId: 'txn_456',
  // Challenge is bound to SHA256(txn_id) for replay prevention
});

Audit Logging

All authentication and authorization events are logged:

const logs = await iam.audit.list({
  userId: 'user_123',
  actions: ['login', 'permission_check', 'role_change'],
  from: '2025-01-01',
  to: '2025-11-30',
});

Endpoints

POST   /oauth/authorize          # Authorization endpoint
POST   /oauth/token              # Token endpoint
GET    /api/userinfo             # OIDC UserInfo
GET    /.well-known/openid-configuration  # OIDC Discovery
POST   /api/webauthn/register    # WebAuthn registration
POST   /api/webauthn/verify      # WebAuthn verification

On this page

Lux IAMArchitectureFeaturesAuthentication ProtocolsMulti-OrganizationMulti-Factor AuthenticationQuick StartSDK IntegrationOAuth2 Authorization Code FlowRole-Based Access ControlEnterprise SSOSAML IntegrationOIDC FederationWebAuthn / FIDO2RegistrationTransaction SigningAudit LoggingEndpoints