Skip to main content

Authentication Overview

Secure and scalable identity management in LibreApps Desktop.

Overview

LibreApps Desktop uses a centralized authentication and authorization system powered by Keycloak. This ensures that all services in the microservices architecture share a common identity provider and that security policies are consistently enforced.

Key Components

1. Keycloak

An open-source identity and access management solution. It handles user login, registration, social logins, and multi-factor authentication (MFA).

2. JWT (JSON Web Tokens)

The standard format for representing user identity and permissions. When a user logs in, Keycloak issues a JWT that the frontend includes in every request to the backend.

3. Role-Based Access Control (RBAC)

A method of regulating access to resources based on the roles of individual users within an organization.

4. LibreApps Gateway

The gateway validates the JWT in every incoming request before forwarding it to the backend microservices.

How it Works

  1. Login: The user enters their credentials on LibreApps Desktop login page.
  2. Authentication: The frontend sends the credentials to Keycloak.
  3. Token Issuance: If the credentials are valid, Keycloak returns an Access Token (JWT) and a Refresh Token.
  4. Authorized Request: The frontend includes the Access Token in the Authorization header of all subsequent API requests.
  5. Validation: The LibreApps Gateway (or the individual microservice) validates the token's signature and expiration.
  6. Access Granted: If the token is valid and the user has the required roles, the request is processed.

Why Keycloak?

  • Standardized: Supports industry-standard protocols like OpenID Connect (OIDC) and SAML.
  • Feature Rich: Includes built-in support for social logins, MFA, and user federation.
  • Scalable: Can handle millions of users and high volumes of authentication requests.
  • Decoupled: Separates identity management from your application logic.

Best Practices

  • Do this: Use Keycloak for all user authentication and authorization.
  • Do this: Implement short-lived Access Tokens and use Refresh Tokens to maintain user sessions.
  • Don't do this: Store user passwords in your own application database; let Keycloak handle sensitive credential storage.