7.1. Concepts

OliveTin does not have any built-in code for doing Authentication (eg: entering a username and password), however it can do Authorization by relying on another system like a reverse proxy or "homepage" tool to first login users. OliveTin is often deployed alongside tools like Traefik and Organizr, which pass a special "token" to OliveTin, so OliveTin knows when a user has been authenticated.

  1. User browses to a website like Organizr and logs in, which sets a JWT Cookie for apps.example.com.

  2. User browses to OliveTin.apps.example.com, and the cookie is sent to OliveTin.

  3. OliveTin verifies the JWT token given the signing secret, and picks up on the name and group fields from the JWT claim.

  4. OliveTin matches any relevant ACLs based on the claims.

  5. If any ACLs are not matched, then the defaultPermissions are used.