OAuth2 + OIDC Provider

Identity Infrastructure
for Workplace.hr

OAuth2/OpenID Connect identity provider with magic link auth, passkeys, multi-tenant organizations, and per-org MFA enforcement. Built with Laravel and Nuxt.

Get Started See How It Works
Everything you need for modern identity
Magic Link Auth
Passwordless login via email
Multi-Factor Auth
TOTP & WebAuthn
4
7
2
Code expires in 28s
Passkeys / WebAuthn
Biometrics & hardware keys
🔑
YubiKey 5 NFC
Registered
👆
Touch ID / Face ID
Registered
OAuth2 + PKCE
OAuth2 & OpenID Connect
A
Authorization Code PKCE
I
Token Introspection RFC 7662
J
JWKS Endpoint Active
Multi-Tenant Orgs
Members, roles & invitations
MFA Enforced
Owner
3 members
Audit Logs
Complete visibility
Magic link verified
marko@company.hr
2s ago
Token introspected
api.workplace.hr
5s ago
New passkey registered
YubiKey 5 NFC
1m ago
Magic Link Auth
Passwordless login via email
Multi-Factor Auth
TOTP & WebAuthn
4
7
2
Code expires in 28s
Passkeys / WebAuthn
Biometrics & hardware keys
🔑
YubiKey 5 NFC
Registered
👆
Touch ID / Face ID
Registered
OAuth2 + PKCE
OAuth2 & OpenID Connect
A
Authorization Code PKCE
I
Token Introspection RFC 7662
J
JWKS Endpoint Active
Multi-Tenant Orgs
Members, roles & invitations
MFA Enforced
Owner
3 members
Audit Logs
Complete visibility
Magic link verified
marko@company.hr
2s ago
Token introspected
api.workplace.hr
5s ago
New passkey registered
YubiKey 5 NFC
1m ago
OAuth2+OIDC
Standards Compliant
<100ms
Token Validation
Users Included
EU
Data Residency
How it works

OAuth2/OIDC for the Workplace.hr ecosystem

IdPlace handles authentication and issues tokens. Your application validates tokens via introspection or JWKS. Users never touch passwords — magic links and passkeys only.

👤
User
Signs in via magic link, passkey, or social login (Google/Facebook)
🔐
IdPlace (OAuth2/OIDC)
Issues access tokens via Authorization Code + PKCE flow
Workplace.hr API
Validates tokens via introspection (RFC 7662) or JWKS
Features

git log --oneline features

feat/passwordless-auth
Magic link authentication
No passwords, ever. Users enter their email and receive a secure magic link. Social login via Google and Facebook for frictionless onboarding. Session-based auth for the admin UI.
Magic Links Google Facebook Passwordless
feat/multi-tenant
Organizations, memberships, and invitations
Multi-tenant architecture with roles (owner, admin, billing, member). Invite users via email, verify and link custom domains, configure SSO per organization. Database-per-tenant isolation with automatic mailbox provisioning.
Organizations Invitations Domain Verification DB Isolation
feat/mfa
TOTP + WebAuthn/Passkeys with per-org enforcement
Time-based one-time passwords compatible with Google Authenticator and Authy. WebAuthn support for hardware keys (YubiKey) and biometrics (Face ID, Touch ID, Windows Hello). Organization admins can enforce MFA for all members. Recovery codes for backup.
TOTP WebAuthn Passkeys Recovery Codes
feat/oauth2-oidc
Full OAuth2 + OpenID Connect with PKCE
Authorization Code flow with PKCE for public clients. Token introspection (RFC 7662) for service-to-service validation. Token revocation (RFC 7009). JWKS endpoint for public key distribution. Client credentials grant for machine-to-machine auth.
PKCE RFC 7662 RFC 7009 JWKS
Security

Multi-layered authentication security

TOTP, WebAuthn/Passkeys, and HashiCorp Vault integration. Per-organization MFA enforcement ensures every member meets your security policy.

🔢
TOTP
Time-based one-time passwords compatible with Google Authenticator, Authy, and any RFC 6238-compliant app. Per-organization enforcement available.
RFC 6238 • 30s window
🔑
WebAuthn / Passkeys
YubiKeys, FIDO2 security keys, Face ID, Touch ID, and Windows Hello for phishing-resistant passwordless authentication.
FIDO2 • WebAuthn L2
🏛️
Vault Integration
Signing keys and database credentials stored in HashiCorp Vault. Automatic key rotation. Your secrets never touch disk.
HashiCorp Vault • AES-256-GCM
Showcase

Real auth flows, real API calls

IdPlace provides both a polished admin dashboard built with Nuxt 3 and standard OAuth2/OIDC endpoints your applications consume directly.

GET /oauth/authorize?
code_challenge=Sha256
POST /oauth/token
grant_type=auth_code
scope=openid profile
OAuth2 Flow

Authorization Code + PKCE

Users authenticate via magic link or social login. IdPlace issues an authorization code, which your backend exchanges for access and refresh tokens. PKCE protects against code interception on public clients.

  • Magic link passwordless authentication
  • Google and Facebook social login
  • PKCE for public and mobile clients
  • OpenID Connect ID tokens with user claims
OAuth2 OIDC PKCE
Token Introspection

Service-to-Service Validation

Your API validates access tokens by calling the introspection endpoint. IdPlace returns the token's active status, scopes, and associated user. Alternatively, validate locally using the JWKS endpoint.

  • RFC 7662 token introspection
  • RFC 7009 token revocation
  • JWKS for local JWT validation
  • Client credentials for machine-to-machine
RFC 7662 RFC 7009 JWKS
AT
Access Token
Bearer
Active
RT
Refresh Token
Rotation
Valid
ID
ID Token
JWT
Verified
JK
JWKS
RS256
Published
🏢
For Workplace.hr Customers
SSO across all your HR tools

IdPlace is the identity backbone of Workplace.hr. Every company that signs up gets SSO, team management, and a company @workplace.hr email address — all powered by IdPlace under the hood.

  • Single sign-on across all Workplace.hr modules
  • Automatic company mailbox provisioning
  • Team management with roles (owner, admin, billing, member)
  • Invite colleagues via email with one click
  • Per-organization MFA enforcement for compliance
Sign Up for Workplace.hr
// Token introspection response

POST /oauth/introspect

{
  "active": true,
  "sub": "usr_k7m9x2",
  "scope": "openid profile",
  "client_id": "workplace-hr",
  "org_id": "org_acme",
  "role": "admin"
}
☁️
Self-Hosted on Kubernetes
EU-hosted • Vault-integrated • Your infrastructure

IdPlace runs on K3s/Kubernetes with HashiCorp Vault for secrets management. All data stays in the EU. Deploy on your own infrastructure for complete control over your identity data.

  • Runs on K3s or any Kubernetes cluster
  • HashiCorp Vault for signing keys and DB credentials
  • PostgreSQL with per-tenant schema isolation
  • Redis for session and cache management
  • All data stays in the European Union
Contact Us
# IdPlace deployment stack

services:
  idplace:
    runtime: "Laravel 12 / PHP 8.4"
    database: "PostgreSQL 16"
    cache: "Redis 7"
    secrets: "HashiCorp Vault"
  admin-ui:
    framework: "Nuxt 3 + Vue 3"
    infra: "K3s / Kubernetes"
    region: "EU"
$ curl https://auth.idplace.hr/.well-known/openid-configuration

Start building with IdPlace

Sign up for Workplace.hr and get IdPlace-powered identity out of the box. Magic links, passkeys, organizations, and OAuth2 — all included.

Sign Up Free Learn More