11.1. Concepts

OliveTin does not have any built-in code for doing Authentication (ie: entering a username and password), however it can do Authorization (ie: checking permissions of a user who logged in via another system, like single sign on).

A popular way of deploying OliveTin is by users accessing it via another system, like a reverse proxy (eg: Traefik) or a "homepage" app (eg: Organizr). Both of these are used to handle user authentication first, before users then access OliveTin. Permissions can then be applied inside OliveTin depending on who has logged in.

The flow generally goes like this;

  1. User browses to a website like Organizr and logs in, which sets a JWT Cookie for apps.example.com.

  2. User browses to OliveTin.apps.example.com, and the cookie is sent to OliveTin.

  3. OliveTin verifies the JWT token given the signing secret, and picks up on the name and group fields from the JWT claim.

  4. OliveTin matches any relevant ACLs based on the claims.

  5. If any ACLs are not matched, then the defaultPermissions are used.