You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -6,7 +6,11 @@ See <<auth-concepts,concepts>> for a good overview of how this works in OliveTin
[#auth-concepts]
=== Concepts
OliveTin does not have any built-in code for doing **Authentication** (eg: entering a username and password), however it can do **Authorization** by relying on another system like a reverse proxy or "homepage" tool to first login users. OliveTin is often deployed alongside <<reverse-proxies,reverse proxies>> like Traefik and Organizr, which pass a special "token" to OliveTin, so OliveTin knows when a user has been authenticated.
OliveTin does not have any built-in code for doing **Authentication** (ie: entering a username and password), however it can do **Authorization** (ie: checking permissions of a user who logged in via another system, like simgle sign on).
A popular way of deploying OliveTin is by users accessing it via another system, like a <<reverse-proxies,reverse proxy>> (eg: Traefik) or a "homepage" app (eg: Organizr). Both of these are used to handle user authentication first, before users then access OliveTin. Permissions can then be applied inside OliveTin depending on who has logged in.
The flow generally goes like this;
1. User browses to a website like Organizr and logs in, which sets a JWT Cookie for apps.example.com.
2. User browses to OliveTin.apps.example.com, and the cookie is sent to OliveTin.
