.. _ADR-07:
ADR-07: OIDC for authentication
===============================
Context
-------
TINO needed an authentication mechanism.
The options were: local auth (username/password with its own user store), LDAP, or SSO via OpenID Connect.
Decision
--------
TINO delegates authentication entirely to an external `OpenID Connect `_ provider (e.g. `Keycloak `_).
The OIDC callback establishes a signed server-side session cookie.
Group claims from the ID token drive :ref:`bucket-level access control `.
Authentication can be disabled entirely via ``TINO_AUTH_DISABLED`` for local development or trusted internal deployments.
Consequences
------------
Positive
~~~~~~~~
- | **No user management**
| TINO has no user database, no password storage, and no account lifecycle to manage — all of that lives in the identity provider.
- | **SSO out of the box**
| Users who are already signed into the OIDC provider get seamless access.
- | **Group-based access control**
| OIDC group claims map directly to bucket roles, making access policy a configuration concern rather than an application concern.
- | **Secure by delegation**
| MFA, password policy, and session management are handled by a dedicated, audited identity system.
- | **De-facto standard**
| OIDC is the standard authentication protocol for most enterprises and cloud platforms.
| Chances are the identity provider is already in place and TINO just plugs in.
Negative
~~~~~~~~
- | **External dependency**
| A production deployment requires a running OIDC provider.
| This adds operational complexity for teams that do not already have one.
- | **Provider-specific claims**
| Group claim names vary between providers (e.g. Keycloak vs Azure AD).
| The claim key must be configured via ``TINO_OIDC_GROUPS_CLAIM``.