Skip to main content

EN-C020-040-auth-monitoring-realtime-identity-lakehouse

English

[EN-C020-040] Auth Monitoring: Real-Time Identity Lakehouse for OIDC + Passkey Drift

Overview

A fast-rising pattern in self-hosted security stacks is to stream OIDC, passkey, and device-trust events into a lightweight “identity lakehouse,” then let agents flag drift before account takeover happens.

Use Case

  • Ingest login events from IdP, reverse proxy, and VPN control plane.
  • Build per-user baselines (ASN, geo velocity, device posture, challenge success rate).
  • Trigger graded responses: step-up auth, temporary token freeze, SOC ping.

Tools Used

  • cron: minute-level polling and hourly baseline recompute
  • sessions_spawn: analyst + verifier sub-agents for anomaly triage
  • sessions_send: escalation handoff to human operators
  • sessions_history: post-incident audit trail and rule tuning

Trend Signals (2026 Q1)

  • The zitadel/zitadel ecosystem keeps shipping quickly and is frequently used as the self-hosted OIDC core.
  • Homelab GitOps stacks increasingly bundle authentik with observability/security controls (e.g., cypr0/k8s-home).
  • Self-hosted tailnet control projects (headscale operators/UI forks) are being wired into auth telemetry pipelines.

Registry ID: EN-040 | Status: Verified | Language: English