7.1. Concepts
OliveTin does not have any built-in code for doing Authentication (eg: entering a username and password), however it can do Authorization by relying on another system like a reverse proxy or "homepage" tool to first login users. OliveTin is often deployed alongside tools like Traefik and Organizr, which pass a special "token" to OliveTin, so OliveTin knows when a user has been authenticated.
-
User browses to a website like Organizr and logs in, which sets a JWT Cookie for apps.example.com.
-
User browses to OliveTin.apps.example.com, and the cookie is sent to OliveTin.
-
OliveTin verifies the JWT token given the signing secret, and picks up on the
name
andgroup
fields from the JWT claim. -
OliveTin matches any relevant ACLs based on the claims.
-
If any ACLs are not matched, then the defaultPermissions are used.