Authentication / IdP

Authentication in Platform-Mesh handles user identity verification and token issuance. The platform deploys and manages its own Identity Provider (IdP) instance to ensure consistent authentication across all components.

Current Implementation

Platform-Mesh uses Keycloak as its identity provider. Keycloak handles:

• User Authentication - OIDC/OAuth2-based login for portal and CLI access
• Token Issuance - JWT tokens for API authentication
• User Management - Account creation, password reset, email verification
• Multi-tenancy - Organization isolation through separate realms

Authentication Flow

sequenceDiagram
    participant User
    participant Portal
    participant Keycloak
    participant kcp

    User->>Portal: Access portal
    Portal->>Keycloak: Redirect to login
    User->>Keycloak: Enter credentials
    Keycloak->>Keycloak: Validate & issue JWT
    Keycloak->>Portal: Return with tokens
    Portal->>kcp: API request with JWT
    kcp->>kcp: Validate JWT (issuer URL)
    kcp->>Portal: Response

Hold "Alt" / "Option" to enable pan & zoom

Components

Component	Authentication Role
Keycloak	Identity provider - issues and validates tokens
kcp	Validates JWTs against configured issuer URL
Portal	OIDC client - redirects users for authentication
Operators	Use service account client credentials

Documentation

• Keycloak - Identity provider deployment and operations