Senior Software Developer

About The Position

Requirements

• 7+ years in software engineering with demonstrated experience in complex, multi-team platform environments
• Strong hands-on proficiency with Java and Spring Boot in a production microservice context
• Solid understanding of software development lifecycle practices including CI/CD, code review, testing strategy, and release management
• Foundational understanding of security principles — authentication, authorization, token-based identity, and secure API design
• Experience working with or integrating against an identity provider (Keycloak, Okta, Auth0, Entra ID, or similar)
• Familiarity with OAuth 2.0 and OIDC concepts including authorization code flow, PKCE, and JWT structure
• Ability to communicate technical decisions clearly to both engineering peers and non-technical stakeholders

Nice To Haves

• Hands-on experience with Keycloak or a comparable open-source identity provider, including realm configuration, client scopes, protocol mappers, IdP federation, and the Admin REST API
• Experience with a production authorization policy engine and a point of view on decoupling policy from application code
• Experience designing IAM for multi-tenant SaaS, including JWT size constraints, token claim strategy, and downstream performance tradeoffs
• Practical experience with API gateway security and policy enforcement at the edge
• SAML 2.0 federation and enterprise SSO integration with providers such as Microsoft Entra ID or Okta
• SOC2 Type II audit preparation and NIST 800-53 control mapping
• Familiarity with NIST 800-207 Zero Trust Architecture principles
• Experience with TOTP enforcement and MFA patterns for privileged access
• Reverse proxy configuration for multi-domain identity routing
• Frontend prototyping experience for operator tooling (Angular or React)
• Experience writing authorization policy expressions against principal and resource attributes
• Integration testing experience for auth flows
• Prior work on developer-facing platforms, including writing integration guides and reviewing PRs for auth correctness

Responsibilities

• Contribute to the platform's evolution toward a thin-token, policy-as-code authorization model where JWTs carry identity context rather than encoded permissions and a dedicated policy engine becomes the authoritative evaluation layer.
• Help scope the roadmap, sequence the work, and support consuming teams through the transition.
• Participate in an active dual-domain migration for the identity platform, including reverse proxy configuration, dynamic issuer handling, and ensuring downstream resource servers can validate tokens across both issuer values without regression.
• Work within and evolve a hybrid RBAC/ABAC authorization model built around a user, role, customer, and application authorization tuple, including platform-defined baseline roles, customer-scoped composite roles, and application-defined custom role patterns.
• Help identify and address security misconfigurations in how consuming teams integrate with the platform, ensuring authorization is evaluated against customer context, not flat role presence in a token.
• Contribute to Golden Path integration patterns for the engineering teams building on top of the platform, covering OAuth2/OIDC client registration, PKCE, identity provider hints, step-up authentication, redirect URI strategy, and token validation for Angular and React applications.
• Help drive an internal operations and governance UI from its current prototype state to production. The tool serves platform operators, security engineers, and compliance teams across modules including application management, role management, user management, customer hierarchy, MFA configuration, enterprise SSO federation, authorization policy authoring, and audit logs.
• Contribute to technical controls mapped to SOC2 CC6 and NIST 800-53 in alignment with Zero Trust principles.
• Support business-risk framing of architectural decisions and technical debt for leadership audiences, covering compliance exposure, audit risk, and real-time access control gaps.

Benefits

• paid Volunteer Program, Xylem Watermark
• inclusion and belonging
• Employee Resource Groups (ERG)