Identity & Access — Drexel Metals

What it is

An OpenID Connect (OIDC) provider issues and verifies identity for every human and system that interacts with Drexel's digital surfaces. Instead of each tool inventing its own login, every surface — portal, DAM, WP plugin sites, contractor-built sites, field apps — delegates authentication to one place. Users sign in once and their identity travels with them, along with roles that determine what each surface shows.

A self-hosted OIDC 1.0 provider (OAuth 2.1 authorization server) that issues ID tokens, access tokens, and refresh tokens.
A directory of users, organizations (contractor companies, suppliers, Drexel internal teams), and roles.
A consent and session layer shared by every downstream application.

Capabilities

Single sign-on (SSO)

Users log in once and access every Drexel-connected surface without re-entering credentials.

Role-based access

Authorization claims in the ID token drive what each UI reveals: contractor, supplier, sales rep, internal admin.

Organization scoping

Contractor shops get their own tenant — users, branding, asset entitlements — without Drexel giving up central control.

Multi-factor and passkeys

WebAuthn and TOTP flows ship out of the box for accounts that need them.

Federated login

Accept Google Workspace, Microsoft Entra, or other OIDC providers for contractor IT teams that prefer their own identity.

API-level auth

Partner systems present access tokens to Drexel APIs; scopes limit what each partner can read or write.

Who it serves

Mia Alvarez · Owner, Alvarez Roofing (Drexel-certified contractor) Kenji Park · Operations lead, coil supplier (Drexel upstream) Jordan Bell · Regional sales representative, Drexel Metals Priya Desai · Channel marketing lead, Drexel Metals

Integrates with

Partner Portal Resource Management WordPress Plugin Agent-Ready Web Framework Roof & Solar Measurement

Architecture notes

Engine: Zitadel or Ory Hydra under the hood — open-source, audited, actively maintained.
Transport: standards-compliant OIDC so any OIDC-aware client works (no custom SDK required).
Token lifetimes: short-lived access tokens with rotating refresh tokens.
Audit: every login, consent, and token issuance is logged for compliance and forensics.

What each persona gets

Mia Alvarez · Owner, Alvarez Roofing (Drexel-certified contractor)

Your team signs in once. Access your resources, your co-branded pages, your solar reports — nothing to juggle.

Jordan Bell · Regional sales representative, Drexel Metals

Look up any partner's active tools, impersonate a session for support, and see exactly what they see.

Priya Desai · Channel marketing lead, Drexel Metals

One revocation removes a person from every Drexel-connected surface at the same time.

Kenji Park · Operations lead, coil supplier (Drexel upstream)

Scoped API access means your ERP can push data without holding user credentials.

Where it shows up

Login screen rendered in the partner's co-brand while still trusting Drexel's identity store.
Token introspection endpoint consumed by every other package in this catalog.
User + organization admin console for Drexel's channel team.