Phase 2: Tenants + Identity + Licensing #24

New Issue

Closed

opened 2026-03-30 09:23:42 +02:00 by claude · 0 comments

claude commented 2026-03-30 09:23:42 +02:00

Owner

Copy Link

Overview

Integrate Logto as identity provider, add tenant and license management, set up Traefik reverse proxy, and deliver a Docker Compose production stack.

Architecture decision (2026-04-04): Custom user-facing auth (AuthController, AuthService) replaced by Logto OIDC. Ed25519 JWT retained for machine tokens only (agent bootstrap, license signing). See docs/superpowers/specs/2026-04-04-dual-deployment-architecture.md.

Depends On

• Phase 1 (#14-#23) ✅ Complete

Related Epics

• #2 (Identity & Access Management — now Logto-based)
• #7 (License & Feature Gating)

Key Deliverables

• Logto integration — OIDC identity provider for all user-facing auth (login, registration, SSO, teams/orgs, MFA)
• Tenant entity + CRUD API — always multi-tenant (Docker = 1 tenant, K8s = N tenants)
• Logto organizations — 1:1 mapping to tenants, Logto Management API client for org provisioning
• License token generation — Ed25519-signed JWT with tier, features, limits, expiry
• License API — POST /api/tenants/{id}/license (generate), GET /api/tenants/{id}/license (fetch active)
• Traefik integration — ForwardAuth middleware for tenant-aware routing
• Docker Compose production stack — 6 containers: Traefik, cameleer-saas, Logto, cameleer3-server, PostgreSQL, ClickHouse
• Externalize Ed25519 keys — file-based loading instead of per-boot generation
• Security refactor — Spring Security OAuth2 Resource Server for Logto OIDC + custom filter for machine tokens

Build-vs-Buy Decisions

Component	Decision	Tool
User-facing auth	BUY	Logto (MPL-2.0, 2 containers, ~0.5-1 GB)
Reverse proxy	BUY	Traefik v3 (MIT, native Docker + K8s)
License signing	BUILD	Custom Ed25519 JWT (core IP)
Tenant lifecycle	BUILD	Custom CRUD + Logto org sync

Removed from Scope (vs original)

• Custom OIDC implementation → Logto provides this
• Custom team management → Logto organizations handle this
• Custom invite flow → Logto handles this
• Custom password reset → Logto handles this

Implementation Plan

docs/superpowers/plans/2026-04-04-phase-2-tenants-identity-licensing.md — 12 tasks

PRD Reference

Sections 4 (Data Architecture — tenants), 5 (IAM — now Logto), 10 (License & Feature Gating)
Superseded by: docs/superpowers/specs/2026-04-04-dual-deployment-architecture.md

## Overview Integrate Logto as identity provider, add tenant and license management, set up Traefik reverse proxy, and deliver a Docker Compose production stack. > **Architecture decision (2026-04-04):** Custom user-facing auth (AuthController, AuthService) replaced by Logto OIDC. Ed25519 JWT retained for machine tokens only (agent bootstrap, license signing). See `docs/superpowers/specs/2026-04-04-dual-deployment-architecture.md`. ## Depends On - Phase 1 (#14-#23) ✅ Complete ## Related Epics - #2 (Identity & Access Management — now Logto-based) - #7 (License & Feature Gating) ## Key Deliverables - **Logto integration** — OIDC identity provider for all user-facing auth (login, registration, SSO, teams/orgs, MFA) - **Tenant entity + CRUD API** — always multi-tenant (Docker = 1 tenant, K8s = N tenants) - **Logto organizations** — 1:1 mapping to tenants, Logto Management API client for org provisioning - **License token generation** — Ed25519-signed JWT with tier, features, limits, expiry - **License API** — `POST /api/tenants/{id}/license` (generate), `GET /api/tenants/{id}/license` (fetch active) - **Traefik integration** — ForwardAuth middleware for tenant-aware routing - **Docker Compose production stack** — 6 containers: Traefik, cameleer-saas, Logto, cameleer3-server, PostgreSQL, ClickHouse - **Externalize Ed25519 keys** — file-based loading instead of per-boot generation - **Security refactor** — Spring Security OAuth2 Resource Server for Logto OIDC + custom filter for machine tokens ## Build-vs-Buy Decisions | Component | Decision | Tool | |-----------|----------|------| | User-facing auth | **BUY** | Logto (MPL-2.0, 2 containers, ~0.5-1 GB) | | Reverse proxy | **BUY** | Traefik v3 (MIT, native Docker + K8s) | | License signing | **BUILD** | Custom Ed25519 JWT (core IP) | | Tenant lifecycle | **BUILD** | Custom CRUD + Logto org sync | ## Removed from Scope (vs original) - ~~Custom OIDC implementation~~ → Logto provides this - ~~Custom team management~~ → Logto organizations handle this - ~~Custom invite flow~~ → Logto handles this - ~~Custom password reset~~ → Logto handles this ## Implementation Plan `docs/superpowers/plans/2026-04-04-phase-2-tenants-identity-licensing.md` — 12 tasks ## PRD Reference Sections 4 (Data Architecture — tenants), 5 (IAM — now Logto), 10 (License & Feature Gating) Superseded by: `docs/superpowers/specs/2026-04-04-dual-deployment-architecture.md`

claude referenced this issue 2026-03-30 09:23:49 +02:00

Phase 5: K8s Operational Layer (was Phase 3) #25

claude referenced this issue 2026-03-30 09:24:12 +02:00

Phase 4: Observability Pipeline (was Phase 6) #28

claude added the authlicensingphase-2 labels 2026-03-30 09:24:43 +02:00

claude changed title from Phase 2: Tenants + Licensing to Phase 2: Tenants + Identity + Licensing 2026-04-04 14:39:33 +02:00

claude referenced this issue 2026-04-04 14:39:47 +02:00

Phase 3: Runtime Orchestration + Environments (was Phase 4) #26

claude referenced this issue 2026-04-04 14:40:38 +02:00

Phase 9: Frontend (React Shell) #31

claude referenced this issue 2026-04-04 14:41:26 +02:00

Epic: Tenant Provisioning & Lifecycle #3

claude referenced a pull request that will close this issue 2026-04-04 15:33:04 +02:00

Phase 2: Tenants + Identity + Licensing #32

hsiegeln closed this issue 2026-04-04 15:58:07 +02:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/saas-ux-polish

feat/phase-9-frontend-react-shell

feat/phase-4-observability-pipeline

feat/phase-3-runtime-orchestration

feature/phase-2-tenants-identity-licensing

v1.0.0

Labels

Clear labels

auth

Identity, authentication, OIDC, RBAC

billing

Billing, metering, and Stripe integration

day-1

Required for initial launch

epic

Top-level epic grouping related issues

future

Planned for future release

infra

Infrastructure, GitOps, K8s orchestration

licensing

License module and feature gating

networking

Network isolation, VPN, tenant separation

observability

Observability integration (cameleer3-server)

ops

Platform operations and self-monitoring

phase-1

Phase 1: Foundation + Auth

phase-2

Phase 2: Tenants + Licensing

phase-3

Phase 3: Runtime Orchestration + Environments

phase-4

Phase 4: Observability Pipeline + Inbound Routing

phase-5

Phase 5: K8s Operational Layer

phase-6

Phase 6: Billing + Metering

phase-7

Phase 7: Billing + Metering

phase-8

Phase 8: Security Hardening + Self-Monitoring

phase-9

Phase 9: Frontend (React Shell)

platform

SaaS management platform

runtime

Camel application runtime

secrets

Secrets management and vault integration

security

Security, compliance, SOC 2, audit

task

Implementation task within a phase

No Label auth licensing phase-2

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claude

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cameleer/cameleer-saas#24