Who use rauthy in production?

[Lenghak]

Very awesome work to the creator! We are looking for a library that we can use as our internal authentication service for our internal banking system. Hopefully, we can find someone who already using rauthy in production environment to know about their experiences.

[sebadob]

What kind of experiences you want to know about?

Rauthy tries to be as secure as possible by default and you can really lock it down with forced MFA + forced UV, and such things. However, a banking application is the most sensitive thing you can run. You can use Rauthy of course for user management, logins, and so on, but make sure that you have some mechanism inside your banking app that validates an additional challenge for each transaction. This is the one thing I would expect it to do.
You also should not rely on JWT tokens for something like this, but instead short session max ages with a short timeout after inactivity of like 10 minutes. So, you will need a separate session management, and it would be a good idea to connect your IdP via backchannel logout as well.
If you want to use JWT tokens for whatever reason, set a very short lifetime of like 3 - 5 minutes. When combined with refresh tokens, you can still have a nice UX. But keep in mind, that it's impossible by design to ever "log out" JWT tokens.

This is true for whatever IdP you decide on. Security is always a compromise between UX and how secure you can get. Verifying each transaction is super annoying for users of course, but the most secure you can get. The same is true for very short session timeouts and force-logouts on inactivity. But when talking about a banking app, you should care very little about UX in that regard and be as secure as possible.

Edit:

Btw, Rauthy is not a library, it's a standalone IdP.

[sebadob]

Closing because of no response.