Concepts
OliveTin only has 1 method for doing Authentication (ie: entering a username and password — see [local-users] ), however it can do Authorization (ie: checking permissions of a user who logged in via another system, like single sign on) in many number of ways.
A popular way of deploying OliveTin is by users accessing it via another system, like a reverse proxy (eg: Traefik) or a "homepage" app (eg: Organizr). Both of these are used to handle user authentication first, before users then access OliveTin. Permissions can then be applied inside OliveTin depending on who has logged in.
The flow generally goes like this;
-
User browses to a website like Organizr and logs in, which sets a JWT Cookie for apps.example.com.
-
User browses to OliveTin.apps.example.com, and the cookie is sent to OliveTin.
-
OliveTin verifies the JWT token given the signing secret, and picks up on the
name
andgroup
fields from the JWT claim. -
OliveTin matches any relevant ACLs based on the claims.
-
If any ACLs are not matched, then the defaultPermissions are used.