Authorization
The server delegates authentication to an external OpenID Connect (OIDC) provider and uses an organization-based model for access control.
Organizations & Roles
- Organizations: Groups of users with shared project access and billing.
- Roles:
- Editor: Can read and write project content and metadata.
- Viewer: Read-only access to project data.
Project Access
Access to projects can be managed at several levels:
- Restricted: Only explicitly invited users can access the project.
- Organization: All members of the organization have access.
- Public: Any authenticated user can access the project.
OIDC Requirements
The server discovers endpoints automatically via the provider’s .well-known/openid-configuration URL.
Scopes
| Scope | Purpose |
|---|---|
openid | Standard OIDC authentication |
profile | User profile information |
email | User email address |
offline_access | Refresh token support |
Claims
| Claim | Required | Purpose |
|---|---|---|
sub | Yes | Unique user identifier |
email | No | User email address |
aud | No | Validated against client_id if present |
Client Configuration
- Client type: Public (no client secret)
- Flow: Authorization Code
- Protocol mappers: email, audience, roles/groups
Server Configuration
| Variable | Description | Example |
|---|---|---|
AUTH__ISSUER | OIDC issuer URL | https://auth.example.com/realms/myrealm |
AUTH__CLIENT_ID | OIDC client ID | my-app |
AUTH__REFRESH_URL | Token refresh endpoint (optional) | https://auth.example.com/realms/myrealm/protocol/openid-connect/token |