ContextWeaver | Identity & Authentication Security β†’
πŸ”

Three Identity Planes, One Platform

Customer Entra (infrastructure) Β· Provider Entra (platform ops) Β· Magic Link (end users) β€” unified into a single session model

πŸ›οΈ CUSTOMER ENTRA ID Customer's Azure AD tenant β€’ Owns Azure subscription β€’ Creates Managed Identity β€’ Provisions AKS, Cosmos, OpenAI β€’ Runs Terraform ⚑ May or may not use the AI services Example: IT dept at Acme Corp πŸ”§ PROVIDER ENTRA ID BrainzBytes / MSP tenant β€’ Platform engineers (ajay@, sre@) β€’ Deploy & manage ContextWeaver β€’ Admin dashboard access β€’ Visual Designer, Monitoring, Cluster πŸ›‘οΈ Role: manager (full admin) SSO via Microsoft Β· MFA enforced βœ‰οΈ MAGIC LINK USERS End users β€” any email address β€’ Self-register on login page β€’ Admin approves (one-time) β€’ Passwordless login via email link β€’ Chat, tools, personal credentials πŸ‘€ Role: viewer / developer Gmail, Outlook, corporate β€” any email Terraform / kubectl 🌐 Login Page β€” app.brainzbytes.com πŸ” Microsoft SSO βœ‰οΈ Magic Link πŸ“ Register session["user"] 🧠 CONTEXTWEAVER PLATFORM All auth paths produce identical session β€” same RBAC, vault, RAG for everyone πŸ”€ Auth Router Entra / Magic / SSO πŸ‘€ Session Mgr email Β· roles Β· groups πŸ›‘οΈ RBAC viewerβ†’devβ†’sqaβ†’mgr πŸ”’ Vault Cascade orgβ†’groupβ†’user 🧢 RAG Isolation scoped indexes ☁️ Azure Infrastructure AKS Β· Cosmos Β· OpenAI Β· Key Vault Β· ACS Managed Identity Β· RBAC Β· Terraform WHAT EACH IDENTITY ACCESSES πŸ›οΈ Customer IT May not log into the app at all β€’ Azure Portal access β€’ Terraform state β€’ Cost management & billing β€’ Network & security policies πŸ”§ Provider Admin Full platform management β€’ Admin Dashboard β€’ Visual Designer + Plugin Builder β€’ Cluster View + Monitoring β€’ User approval + Site Admin βœ‰οΈ End Users AI-powered chat interface β€’ Chat with AI assistant β€’ MCP tools across connectors β€’ Personal credentials & prefs β€’ Create & manage groups πŸ‘₯ Groups (Self-Service) Team/family/plan isolation β€’ Create group (become admin) β€’ Invite by email (ACS) β€’ Shared connectors & policies β€’ Isolated from other groups

Plane 1: Customer Entra ID

The customer's Azure AD tenant that owns the cloud infrastructure. This is the billing owner and infrastructure manager.

What they control:
  • Azure subscription & resource group
  • Managed Identity (aiopm-mi) + role assignments
  • Terraform state β€” provisions AKS, Cosmos, OpenAI, Key Vault, ACR, ACS
  • Network security groups, firewall rules, DNS
  • Cost management and billing
Key point:

These users may never log into the app. They manage infrastructure via Azure Portal, Terraform, and kubectl. They don't use the AI chat or MCP tools β€” they just make sure the platform runs.

Example: Acme Corp's IT department provisions the Azure resources. They don't use ContextWeaver's AI features β€” that's for the business users.

Plane 2: Provider Entra ID (BrainzBytes)

The service provider's Azure AD tenant. Platform engineers who deploy, manage, and maintain ContextWeaver.

What they do:
  • Log in via Microsoft SSO (Entra OIDC)
  • Access full Admin Dashboard β€” all tabs
  • Design plugins in Visual Designer
  • Monitor with Grafana/Prometheus
  • Approve user registrations in Site tab
  • Manage MCP engines, connectors, indexes
Auth flow:
1
Click "Sign in with Microsoft" on login page
2
Redirect to Microsoft Entra OIDC login
3
MFA challenge (if configured by tenant admin)
4
Callback β†’ session created with roles: ["manager"]

Plane 3: Magic Link Users (End Users)

External users who register with any email address. Passwordless authentication via email magic links.

Registration flow:
1
Click "Request Access" β†’ fill Name, Email, Company
2
Account created (status: pending)
3
Provider admin notified β†’ approves in Site tab
4
Welcome email sent with login link β†’ status: active
Login flow (after approval):
1
Enter email β†’ click "Send Magic Link"
2
15-min JWT token sent to email via ACS
3
Click link β†’ token validated β†’ session created
4
Lands in User View with roles: ["developer"]

No passwords. Email IS the identity. Like Slack, Notion, and Vercel.

Unified Session β€” The Glue

All three identity planes produce the exact same session format. The platform doesn't care how you authenticated.

session["user"] = {
  "email": "sarah@acme.com",
  "displayName": "Sarah Chen",
  "roles": ["developer"],   // viewer | developer | sqa | manager
  "groups": ["acme-corp"],  // from Entra AD or Cosmos
  "source": "magic_link",   // or "entra"
  "authenticated": true
}

Downstream systems (RBAC, Vault Cascade, RAG Isolation, MCP Tools) all read from this session. They never check how you logged in β€” only your email, roles, and groups.

Identity Plane Comparison

πŸ›οΈ Customer EntraπŸ”§ Provider Entraβœ‰οΈ Magic Link
PurposeInfrastructure ownershipPlatform managementUse AI services
Auth methodAzure Portal / CLIMicrosoft SSO (OIDC)Email magic link (JWT)
Logs into app?OptionalYes β€” Admin ViewYes β€” User View
App roleN/A (infra only)managerviewer / developer
Groups sourceN/AAzure AD groupsCosmos DB (admin-assigned or self-service)
CredentialsManaged IdentityEntra token + vaultPersonal vault (per-user)
MFAAzure AD Conditional AccessEntra MFAEmail = 2FA (you must own the inbox)
RegistrationAzure subscriptionAdded to Entra tenantSelf-service β†’ admin approval
Example usersIT admin at Acmeajay@brainzbytessarah@gmail.com
Back to About Security Details Azure Architecture