Lead Identity Platform Engineer* (P3169)

84.51° Overview

84.51° is a retail data science, insights and media company. We help The Kroger Co., consumer packaged goods companies, agencies, publishers and affiliates create more personalized and valuable experiences for shoppers across the path to purchase.

Powered by cutting-edge science, we utilize first-party retail data from more than 62 million U.S. households sourced through the Kroger Plus loyalty card program to fuel a more customer-centric journey using 84.51° Insights, 84.51° Loyalty Marketing and our retail media advertising solution, Kroger Precision Marketing.

Join us at 84.51°!

__________________________________________________________

As Lead Identity Platform Engineer , you will have the opportunity to help modernize the identity and access management systems and tools used for our commercial platforms and services at 84.51°. We are looking for a knowledgeable, creative identity engineer that can lead and participate in architectural discussions, use their subject matter expertise in identity and access management to make recommendations for our authentication and authorization systems, and ultimately plan and implement solutions with other identity and shared commercial technology engineers. This position will contribute to the design and implementation of authentication and authorization for our web application ecosystem, providing best practices for our developers, and will support identity initiatives related to our API products.

Responsibilities

Take ownership of and drive delivery of authentication and authorization solutions across our commercial web application ecosystem by:

• Leading design and development of identity solutions using a combination of off the shelf tools and homegrown applications
• Participating in architectural discussions related to authentication and authorization
• Contributing to our identity systems as a developer, building prototypes, and evaluating open source and commercial products
• Enabling and supporting engineering initiatives related to API authentication and authorization
• Acting as an identity subject matter expert and resource for other engineers and stakeholders at 84.51°

Qualifications

• Bachelor’s degree in Computer Science or related program, or commensurate work experience
• 3+ years of experience implementing authentication and authorization solutions for commercial applications and/or intranet/business to business systems in an enterprise
• In-depth knowledge of full-stack web application architecture and current best practices for implementing authentication and authorization for web applications (Spring Boot + Angular) and APIs
• Proficiency in current frameworks, specifications, topics and trends within the identity field or related to identity security, including OAuth2.0/OpenID Connect, SAML, JOSE (JWT/JWK), etc.
• 2+ years implementing and integrating on-premise and cloud-based identity providers such as Okta, Azure B2C, Keycloak, Identity Server, etc. and directory systems such as AD LDS/LDAP, Azure AD/Entra ID, etc.
• Experience with Object-Oriented programming in Java (especially using Spring Boot); enough experience to provide model auth-n/auth-z implementations for developers to follow, develop proofs-of-concepts, and contribute to libraries and backend service code
• Proficiency with standard authorization models such as RBAC, ABAC, and ReBAC
• Familiarity with policy information, enforcement, and decision systems such as Open Policy Agent, OpenFGA, Topaz, etc.
• Experience working with API gateways and an understanding of how they work and fit into an enterprise environment
• Proficient using RESTful APIs
• Familiarity with additional web (Javascript, Python, Go, etc.) and scripting (PowerShell, etc.) languages preferred
• Experience with infrastructure-as-code via Terraform preferred
• Comfortable performing version control in GIT and GitHub
• Understanding of CI/CD
• Understanding of non-functional qualities of application maintenance such as monitoring, logging, and alerting in tools like Datadog

Important: We are unable to sponsor or take over sponsorship of an employment Visa at this time for this position. Applicants must be authorized to work for ANY employer in the U.S.

This is a Hybrid position. Candidates must be able to come into the office on Monday, Tuesday, and Wednesday of each week. We have locations in Cincinnati, OH, Chicago, IL, Deerfield, IL, New York, NY, and Portland, OR.

There are no remote options for this position.