Temporal TechnologiesRemote
Staff Software Engineer, Cloud Identity
United States of America
Full Time
5 days ago
$212,000 - $286,000 USD
H1B Sponsor Likely
Key skills
PythonJavaGoKotlinIAMEntra IDOAuthJWTOktaSAMLKeycloakCachingCommunication
About this role
Temporal Technologies is an open source programming model company focused on improving developer experience. They are hiring a Staff Software Engineer for Identity to design and operate the identity and access platform for Temporal Cloud, ensuring secure authentication and authorization for high-throughput workloads.
Responsibilities:
- Design and build Temporal Cloud's identity platform end-to-end — authentication (OAuth 2.0/2.1, OIDC, SAML, token exchange), authorization (RBAC/ReBAC/policy engines), and workload identity federation — so customers and workloads authenticate without long-lived secrets
- Scale the auth hot path to meet Temporal Cloud's SLOs: in-memory auth bundles, JWKS caching, decision caching, and revocation strategies that keep latency low and eliminate single points of failure
- Integrate with enterprise IdPs (Okta, Entra ID, Google Workspace, SAML/OIDC), own SCIM 2.0 provisioning, and threat-model identity flows against token replay, confused deputy, scope escalation, and mix-up attacks
- Partner with Security, Product, and platform teams to ship secure-by-default patterns, define IAM lifecycle and audit strategies, and shape the technical roadmap by tracking emerging standards (IETF OAuth WG, OpenID Foundation)
- Mentor engineers, maintain clear architecture docs, and engage directly with customers to understand requirements and unblock adoption
Requirements:
- Deep hands-on experience building and operating production identity systems — OAuth 2.0/2.1, OIDC, SAML, JWT/JOSE, JWKS rotation, SCIM, and at least some exposure to workload identity (SPIFFE/SPIRE, WIF, mTLS, or short-lived federated credentials)
- Strong grasp of authorization at scale (RBAC, ABAC, ReBAC/Zanzibar) and familiarity with policy engines like OPA, Cedar, or OpenFGA
- Track record operating latency-sensitive distributed systems in production, including on-call ownership and operational excellence
- Proficiency in Go; experience with Python, Java, or Kotlin is a plus
- Strong communication skills with the ability to align stakeholders across security, product, and engineering and drive execution end-to-end
- Contributions to identity OSS projects (Keycloak, Ory, Dex, OpenFGA, SPIRE) or standards bodies (IETF OAuth WG, OpenID Foundation)
- Experience with compliance frameworks (FedRAMP, SOC 2, ISO 27001, HIPAA) as they apply to IAM
- Familiarity with Temporal or other durable-execution engines, especially auth implications around workers and task queues
- Experience designing customer-facing API auth (scoped tokens, API keys, rotation UX) and building well-structured APIs