ADR-0036 — Authentication policy: OAuth 2.1, MFA/passkeys, step-up, token lifecycle

V1 Freeze (2026-06-12): Proposed. Basic authn (OAuth 2.1 + argon2id passwords + API tokens) is V1 via ADR-0010; MFA/passkeys/step-up/DPoP hardening is agreed but not committed to V1.

Context

Authentication is OWASP API2 and the entry point to everything; weak token handling and missing MFA are leading breach causes. We need a concrete, modern policy for humans and the tokens that carry identity — not just “we use OIDC.”

Decision

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

Stateless access-token validation at the gateway (cached JWKS); refresh-family state in Redis/Postgres; step-up decisions cached briefly.