Last Updated: 2026-03-29 Classification: Internal
Sentinel protects API access using DPoP, replay defenses, session revocation controls, SSF event intake, and payload-bound authorization checks for high-risk operations.
Primary modules in scope:
- Sentinel.DPoP
- Sentinel.Session
- Sentinel.SSF
- Sentinel.Rar
- Sentinel.Redis
- Sentinel.AspNetCore
- Sentinel.Infrastructure
- Access and refresh tokens
- DPoP proof integrity and proof private-key binding semantics
- Session blacklist and replay-state records
- SSF event trust decisions
- Authorization detail constraints for high-risk transfers
- Security telemetry and incident correlation data
- External clients -> API host
- API host -> cache/state backends
- API host -> identity provider discovery/JWKS
- Event sender -> SSF ingress endpoint
- Internal service boundaries between protocol and adapter modules
| Threat | Impact | Likelihood | Primary Mitigation |
|---|---|---|---|
| Access token replay | High | Medium | JTI replay checks with fail-closed behavior |
| DPoP proof replay | High | Medium | Proof JTI replay state + nonce handling |
| Nonce bypass/reuse | High | Medium | 401 use_dpop_nonce challenge flow |
| Authorization payload tampering | High | Medium | RAR-style transfer bounds filter |
| SSF forgery or stale event replay | High | Medium | Signature/issuer/timing checks + fixed-time auth token compare |
| Composite auth downgrade attempts | Medium | Medium | Auth scheme routing + protocol-specific validation paths |
| Discovery/JWKS dependency amplification | Medium | Medium | Shared metadata manager and cache-aware validation paths |
| Telemetry privacy leakage via naive IP hashing | High | Low | HMAC-based SecurityContextHasher in diagnostics module |
| Cache outage on security-critical checks | High | Medium | Fail-closed semantics for replay/session checks |
- DPoP proof validation in Sentinel.DPoP and ASP.NET middleware integration.
- Nonce challenge semantics with explicit retry path.
- Replay state checks for proof/token identifiers.
- Session blacklist checks in request authorization paths.
- Logout and SSF pathways converge on session invalidation.
- Event token parsing and validation in Sentinel.SSF + endpoint ingress checks.
- Timing-safe static auth token comparison for shared token mode.
- Finance transfer guard compares request payload to signed authorization details.
- External responses remain opaque; detailed mismatch data is logged internally.
- Canonical IP context hashing via HMAC in Sentinel.Security.Diagnostics/SecurityContextHasher.cs.
- No plain SHA256(IP) logging in active paths.
The following are mandatory security behaviors:
- replay or blacklist state unavailable -> reject request
- invalid/stale/malformed DPoP proof -> reject request
- invalid SSF token -> reject event processing
- missing/invalid required nonce -> challenge, do not bypass
- Replay detection spikes
- DPoP failure ratio increase
- use_dpop_nonce surge patterns
- SSF rejection trends
- Finance bounds exceeded events
- Cache dependency latency/error rates
- Container packaging path is incomplete in repo (see CONTAINER_BUILD_READINESS.md).
- Identity provider outage can degrade trust-refresh operations.
- OpenAPI contract is manually maintained and can drift if not release-gated.
Review this model:
- at each release
- after any authentication pipeline modification
- after introducing/changing endpoint filters
- after cache/state model changes
- after significant incident postmortems
Required synchronized updates:
- ARCHITECTURE.md
- COMPLIANCE_AUDIT_MATRIX.md
- SRE_SOC_RUNBOOKS.md