ADR-07: OIDC for authenticationΒΆ
ContextΒΆ
TINO needed an authentication mechanism. The options were: local auth (username/password with its own user store), LDAP, or SSO via OpenID Connect.
DecisionΒΆ
TINO delegates authentication entirely to an external OpenID Connect provider (e.g. Keycloak). The OIDC callback establishes a signed server-side session cookie. Group claims from the ID token drive bucket-level access control.
Authentication can be disabled entirely via TINO_AUTH_DISABLED for local development or trusted internal deployments.
ConsequencesΒΆ
PositiveΒΆ
- No user managementTINO has no user database, no password storage, and no account lifecycle to manage β all of that lives in the identity provider.
- SSO out of the boxUsers who are already signed into the OIDC provider get seamless access.
- Group-based access controlOIDC group claims map directly to bucket roles, making access policy a configuration concern rather than an application concern.
- Secure by delegationMFA, password policy, and session management are handled by a dedicated, audited identity system.
- De-facto standardOIDC is the standard authentication protocol for most enterprises and cloud platforms.Chances are the identity provider is already in place and TINO just plugs in.
NegativeΒΆ
- External dependencyA production deployment requires a running OIDC provider.This adds operational complexity for teams that do not already have one.
- Provider-specific claimsGroup claim names vary between providers (e.g. Keycloak vs Azure AD).The claim key must be configured via
TINO_OIDC_GROUPS_CLAIM.