Bridging Legacy and Modern Auth: Designing a Hybrid OIDC and Custom Authorization System for a Multi-Tenant Enterprise Platform

When a large enterprise sought to modernize its authentication and authorization stack, it faced a complex challenge: how to integrate modern protocols like OIDC and SSO into an existing custom multi-tenant JWT-based authorization architecture, without disrupting its active user base or partner integrations.

​

The client’s identity flow combined username-password + TOTP authentication with a proprietary “CustomToken” authorization layer. Over time, this bespoke system had grown difficult to extend and could not support standardized federation protocols or OEM partner onboarding workflows. The goal was to introduce OIDC-based login and signup capabilities — while ensuring backward compatibility for legacy users and smooth migration paths for existing accounts.

 

Falistro’s engineering team began by dissecting the legacy flow to identify the tight coupling between authentication (AuthN) and authorization (AuthZ). A modular design was proposed where OIDC providers could be easily registered or removed, allowing the system to evolve without deep code changes. The JWT role mapping and tenant context propagation were redesigned to seamlessly integrate OIDC tokens ("ID", "JWT") into the existing multi-tenant claims system.

 

The next challenge came from the OEM partner flow — partners needed to embed the client’s sign-in experience within their own products and allow joint provisioning. Falistro engineered an automated tenant linking mechanism, where successful OIDC signups by OEM users would:

​

• Provision a new tenant linked to both the OEM partner and the user.

• Trigger a delegated consent flow to authorize offline data sharing between the user and partner.

​

Once the migration and integration plan was validated, implementation was completed in under two weeks, with a full rollout to production within four. The transition was transparent to users, supporting both legacy and OIDC authentication concurrently. The end result was a future-proof, modular, and enterprise-ready identity architecture capable of scaling across multiple providers and partner integrations — all while maintaining existing operational continuity.