User Management

Peaksel can have different sources of users: corporate OAuth2 sever or simply a hardcoded list of users.

Hardcoded list of users

You can simply list all users that are allowed to sign in in the docker-compose.yml using properties:

environment:
  security.in_memory_users.name: user,admin
  security.in_memory_users.password: SomeUserPassword,SomeAdminPassword
  security.in_memory_users.role: USER,ADMIN

Usernames must not contain any special symbols except for the underscore (_).

OAuth2 OpenID Connect integration

User can be permitted to sign in using some OAuth2 server (using OpenID Connect aka OIDC protocol). It could be a Google Auth, GitHub, corporate Keycloak or OAuth0/Okta.

In this scenario the whole auth process happens on the OAuth2 Server side, and Peaksel doesn’t know anything about user passwords.

In docker-compose.yml:

environment:
  security.oauth2.enabled: 'true'
  security.oauth2.authorization-uri: https://...
  security.oauth2.token-uri: https://...
  security.oauth2.user-info-uri: https://...
  security.oauth2.client-id: SomeOAuth2ClientId
  security.oauth2.client-secret: SomeOAuth2ClientSecret

During the first start you won’t have any Admins present. Only existing Admins can turn other users into Admins. So how do we assign the first Admin? List them in hardcoded list with role=ADMIN, same username as in OAuth2 and arbitrary password. This can be done at any time.

If user is defined both in the hardcoded list and in the OAuth2 provider, then the same user can be used for the UI login, as well as for API calls using the hardcoded Basic Auth credentials.