AuthN/AuthZ

This section provides comprehensive information about authentication and authorization in OSMO, including how to configure identity providers, manage roles, and control access to resources.

Overview

OSMO provides a flexible authentication and authorization system that supports authentication through Keycloak (with an optional external IdP), and flexible authorization through role-based access control (RBAC).

It can be configured a few different ways:

1. No Authentication (Development Only)

Deploy OSMO without authentication for testing and development purposes. Not recommended for production.

2. Keycloak

Use Keycloak to manage users and allow login directly through Keycloak. Use keycloak to control RBAC permissions by maintaining a mapping of users to groups and groups to roles.

3. Keycloak with External Identity Provider

Use Keycloak as an identity broker that integrates with your organization’s identity provider (Azure AD, Google Workspace, etc.). Use keycloak to control RBAC permissions by maintaining a mapping of users to groups and groups to roles. This is recommended for production deployments.

Major concepts

There are a few concepts that are important to understand when configuring authentication and authorization in OSMO:

• User: A human user or service account that accesses OSMO by logging in through Keycloak. Users can be added manually through Keycloak, or automatically when they log in through an external identity provider.

• Action: A specific action that a user might attempt to perform in OSMO (e.g., an HTTP method and path like GET /api/workflows, submitting workflows to a specific pool, etc.).

• Policy: A list of actions and whether they are allowed or denied.

• Role: A collection of policies that grant access to specific API endpoints and resources. If a user has a specific role, they are granted access to the actions in the policies of the role.

• Group: A group of users maintained in Keycloak. Groups can be assigned roles, and all users in the group inherit the roles of the group.

The below diagram illustrates how these concepts are all related when a user tries to perform an action in OSMO.

1 A USER attempts to perform an ACTION in OSMO

↓

KEYCLOAK

2 Get all GROUPS the USER is in

↓

3 Get all ROLES that those GROUPS have

ROLES in JWT

↓

OSMO

4 Get all POLICIES that those ROLES have

↓

5 Check if any POLICY allows the ACTION

↓

Allow or Deny ACTION

Quick Navigation

• Setting up authentication? → Start with Authentication Flow

• Managing roles and permissions? → See Roles and Policies

• Configuring Keycloak roles and groups? → Follow Keycloak Group and Role Management

See also

• Deploy Service for service deployment with authentication

• Create Resource Pools for pool configuration

• /api/configs/role for role configuration reference