cameleer/cameleer-saas
2
0
Fork 0
Code Issues 22 Pull Requests Actions Packages Projects Releases Wiki Activity

Epic: Identity & Access Management #2

New Issue
Open
opened 2026-03-29 23:16:35 +02:00 by claude · 1 comment
claude commented 2026-03-29 23:16:35 +02:00
Owner
Copy Link

Overview

Single identity plane for the entire SaaS platform. Logto handles all user-facing identity; custom Ed25519 JWT retained for machine-to-machine auth.

Architecture decision (2026-04-04): Custom auth replaced by Logto (MPL-2.0, lightest OSS IdP). Eliminates ~3-4 months of custom build: OIDC, SSO, teams, invites, MFA, password reset, custom roles. See docs/superpowers/specs/2026-04-04-dual-deployment-architecture.md.

Identity Provider: Logto

  • License: MPL-2.0 (commercially safe)
  • Footprint: 2 containers, ~0.5-1 GB RAM
  • Features in OSS: Organizations, RBAC, M2M tokens, OIDC/SSO federation, MFA
  • Docker + K8s: Works in both environments

Auth Model

Auth Type Handled By Token Format
User login/registration Logto (OIDC) RS256 JWT (Logto-issued)
SSO/OIDC federation Logto RS256 JWT
Team/org management Logto organizations
Agent bootstrap cameleer-saas Ed25519 JWT (custom)
License tokens cameleer-saas Ed25519 JWT (custom)

Logto Organizations = Tenants

  • 1:1 mapping between Logto organizations and Cameleer tenants
  • Organization tokens include organization_id claim automatically
  • User-tenant membership managed in Logto
  • Logto Management API used for programmatic org provisioning

Tier Differentiation

Feature Low Mid High Business
Platform login Yes Yes Yes Yes
OIDC/SSO federation No No Yes Yes
Custom roles No No Yes Yes
Team management Basic Basic Full Full

Key Decisions

  • Spring Security custom auth → Logto OIDC + Spring Security OAuth2 Resource Server
  • Ed25519 JWT signing retained for machine tokens (aligns with cameleer3-server pattern)
  • cameleer3-server validates SaaS-issued tokens in managed mode
  • Standalone mode retains local auth for air-gapped deployments

Eliminated Custom Build Work

  • OIDC provider implementation
  • SSO/SAML federation
  • Team/org management UI
  • Invite flow (email invites, accept/decline)
  • Password reset flow
  • MFA/2FA
  • Custom role management UI
  • Session management
## Overview Single identity plane for the entire SaaS platform. **Logto** handles all user-facing identity; custom Ed25519 JWT retained for machine-to-machine auth. > **Architecture decision (2026-04-04):** Custom auth replaced by Logto (MPL-2.0, lightest OSS IdP). Eliminates ~3-4 months of custom build: OIDC, SSO, teams, invites, MFA, password reset, custom roles. See `docs/superpowers/specs/2026-04-04-dual-deployment-architecture.md`. ## Identity Provider: Logto - **License:** MPL-2.0 (commercially safe) - **Footprint:** 2 containers, ~0.5-1 GB RAM - **Features in OSS:** Organizations, RBAC, M2M tokens, OIDC/SSO federation, MFA - **Docker + K8s:** Works in both environments ## Auth Model | Auth Type | Handled By | Token Format | |-----------|-----------|-------------| | User login/registration | Logto (OIDC) | RS256 JWT (Logto-issued) | | SSO/OIDC federation | Logto | RS256 JWT | | Team/org management | Logto organizations | — | | Agent bootstrap | cameleer-saas | Ed25519 JWT (custom) | | License tokens | cameleer-saas | Ed25519 JWT (custom) | ## Logto Organizations = Tenants - 1:1 mapping between Logto organizations and Cameleer tenants - Organization tokens include `organization_id` claim automatically - User-tenant membership managed in Logto - Logto Management API used for programmatic org provisioning ## Tier Differentiation | Feature | Low | Mid | High | Business | |---------|-----|-----|------|----------| | Platform login | Yes | Yes | Yes | Yes | | OIDC/SSO federation | No | No | Yes | Yes | | Custom roles | No | No | Yes | Yes | | Team management | Basic | Basic | Full | Full | ## Key Decisions - ~~Spring Security custom auth~~ → Logto OIDC + Spring Security OAuth2 Resource Server - Ed25519 JWT signing retained for machine tokens (aligns with cameleer3-server pattern) - cameleer3-server validates SaaS-issued tokens in managed mode - Standalone mode retains local auth for air-gapped deployments ## Eliminated Custom Build Work - ~~OIDC provider implementation~~ - ~~SSO/SAML federation~~ - ~~Team/org management UI~~ - ~~Invite flow (email invites, accept/decline)~~ - ~~Password reset flow~~ - ~~MFA/2FA~~ - ~~Custom role management UI~~ - ~~Session management~~
claude added the authepic labels 2026-03-29 23:17:57 +02:00
claude commented 2026-04-07 12:31:17 +02:00
Author
Owner
Copy Link

Status Update (2026-04-07)

Logto OIDC integration is complete. The hand-rolled JWT auth (Ed25519, local users/roles/permissions) has been fully replaced with Logto as the identity provider.

What's done:

  • @logto/react SDK with org-scoped token fetching
  • Custom sign-in UI (ui/sign-in/) replacing Logto's default experience
  • 13 OAuth2 scopes on API resource (10 platform + 3 server)
  • Scope-based RBAC via @PreAuthorize("SCOPE_...") + TenantIsolationInterceptor
  • Organization roles: admin (full scopes) and member (deploy + observe)
  • platform-admin global role for SaaS owner
  • Custom JWT claim injection (org roles → roles claim for server OIDC)
  • Server SSO via Traditional Web App + OIDC auto-signup
  • Bootstrap automation: users, apps, roles, organizations, scopes, branding
  • Username display from ID token claims in sidebar + TopBar

Remaining:

  • Cross-app logout (platform logout doesn't invalidate server session — architectural, parked)
  • Team/user management UI (invite users to org, assign roles)
  • Self-service signup flow
## Status Update (2026-04-07) **Logto OIDC integration is complete.** The hand-rolled JWT auth (Ed25519, local users/roles/permissions) has been fully replaced with Logto as the identity provider. ### What's done: - `@logto/react` SDK with org-scoped token fetching - Custom sign-in UI (`ui/sign-in/`) replacing Logto's default experience - 13 OAuth2 scopes on API resource (10 platform + 3 server) - Scope-based RBAC via `@PreAuthorize("SCOPE_...")` + `TenantIsolationInterceptor` - Organization roles: `admin` (full scopes) and `member` (deploy + observe) - `platform-admin` global role for SaaS owner - Custom JWT claim injection (org roles → `roles` claim for server OIDC) - Server SSO via Traditional Web App + OIDC auto-signup - Bootstrap automation: users, apps, roles, organizations, scopes, branding - Username display from ID token claims in sidebar + TopBar ### Remaining: - Cross-app logout (platform logout doesn't invalidate server session — architectural, parked) - Team/user management UI (invite users to org, assign roles) - Self-service signup flow
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
auth
Identity, authentication, OIDC, RBAC
 billing
Billing, metering, and Stripe integration
 day-1
Required for initial launch
 epic
Top-level epic grouping related issues
 future
Planned for future release
 infra
Infrastructure, GitOps, K8s orchestration
 licensing
License module and feature gating
 networking
Network isolation, VPN, tenant separation
 observability
Observability integration (cameleer3-server)
 ops
Platform operations and self-monitoring
 phase-1
Phase 1: Foundation + Auth
 phase-2
Phase 2: Tenants + Licensing
 phase-3
Phase 3: Runtime Orchestration + Environments
 phase-4
Phase 4: Observability Pipeline + Inbound Routing
 phase-5
Phase 5: K8s Operational Layer
 phase-6
Phase 6: Billing + Metering
 phase-7
Phase 7: Billing + Metering
 phase-8
Phase 8: Security Hardening + Self-Monitoring
 phase-9
Phase 9: Frontend (React Shell)
 platform
SaaS management platform
 runtime
Camel application runtime
 secrets
Secrets management and vault integration
 security
Security, compliance, SOC 2, audit
 task
Implementation task within a phase
No Label auth epic
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claude
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: cameleer/cameleer-saas#2
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?