keligrubb/kestrelos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 11 Wiki Activity
Files
c8d37c98f475ece3f4a28016aeb80f50e99e0a15
kestrelos/docs/auth.md
Madison Grubb b0e8dd7ad9
Some checks failed
ci/woodpecker/pr/pr Pipeline failed
Details
make kestrel a tak server, so that it can send and receive pois as cots data
2026-02-17 10:42:53 -05:00

4.5 KiB
Raw Blame History

Authentication

KestrelOS supports local login (username/email + password) and optional OIDC (single sign-on with an identity provider). All users must sign in to use the app.

Local login

First run: bootstrap admin

On first start, if the database has no users, KestrelOS creates an admin account:

  • If you set env vars:
    BOOTSTRAP_EMAIL and BOOTSTRAP_PASSWORD
    → That account is created (identifier = email, role = admin).

  • If you do not set them:
    A default admin is created with identifier admin and a random password.
    The password is printed in the terminal—copy it and sign in at /login.

After first login, change the password or add users via Members (admin only).

Signing in (local)

  1. Open /login (or youll be redirected there when visiting a protected page).
  2. Enter Email or username (identifier) and Password.
  3. Click Sign in. Youre redirected to the map or the page you came from.

Local users can always use this form. Their password is stored hashed in the database.

OIDC config and sign up

OIDC lets users sign in with an external identity provider (IdP), e.g. Keycloak, Auth0, or your organizations IdP. There is no “sign up” inside KestrelOS for OIDC: accounts are created when a user signs in for the first time (first-time OIDC login creates a KestrelOS user linked to that IdP identity).

Enabling OIDC

Set these environment variables:

Variable Required Description
OIDC_ISSUER Yes IdP issuer URL (e.g. https://auth.example.com/realms/myrel).
OIDC_CLIENT_ID Yes OIDC client ID.
OIDC_CLIENT_SECRET Yes OIDC client secret.
OIDC_LABEL No Button label (default: "Sign in with OIDC").
OIDC_REDIRECT_URI No Callback URL (default: {APP_URL}/api/auth/oidc/callback).
OIDC_SCOPES No Scopes (default: openid profile email).

The app derives the redirect URI if not set:

  • Prefer NUXT_APP_URL or APP_URL (e.g. https://kestrelos.example.com).
    Callback = {that base}/api/auth/oidc/callback.
  • Otherwise it uses HOST, PORT, and NODE_ENV (e.g. http://localhost:3000/api/auth/oidc/callback).

IdP configuration

In your IdP:

  1. Create an OIDC client (confidential, or public with PKCE if supported).
  2. Set Redirect URI to:
    https://<your-kestrelos-host>/api/auth/oidc/callback
    (or the same with http for local dev).
  3. Copy Client ID and Client Secret into OIDC_CLIENT_ID and OIDC_CLIENT_SECRET.
  4. Set Issuer in OIDC_ISSUER (issuer URL from the IdPs discovery document).

OIDC sign-in flow

  1. User opens /login and clicks the OIDC button (e.g. “Sign in with OIDC”).
  2. They are redirected to the IdP to sign in (and sign up at the IdP if needed).
  3. After success, the IdP redirects back to KestrelOS with an authorization code.
  4. KestrelOS exchanges the code for tokens and creates or finds the user (by oidc_issuer + oidc_sub), then logs them in.

Sign up: Done at the IdP. The first time a user completes OIDC login, KestrelOS creates a new user; no separate “sign up” page in KestrelOS.

OIDC and ATAK/iTAK

OIDC users dont have a KestrelOS password. To use ATAK or iTAK with “Use Authentication,” they must set an ATAK password once in the web app:

  1. Sign in with OIDC.
  2. Go to Account.
  3. Under ATAK / device password, set and confirm a password, then save.

They then use their KestrelOS username (identifier) and this ATAK password in the TAK client. See ATAK and iTAK.

Roles

  • Admin — Can manage users (add, edit, delete, change roles), edit POIs, and add/edit devices (via API).
  • Leader — Can edit POIs and add/edit devices (via API). Cannot change user roles.
  • Member — Can view map, cameras, and POIs; can use Share live. Cannot edit POIs or manage devices.

Only admins can change roles (Members page).

Summary

Goal Action
First-time setup Set BOOTSTRAP_EMAIL / BOOTSTRAP_PASSWORD or use printed default admin password.
Local sign-in Use /login with identifier and password.
Enable SSO Set OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET (and optional OIDC_LABEL, OIDC_REDIRECT_URI).
“Sign up” with OIDC Users sign up at the IdP; first OIDC login in KestrelOS creates their account.
Use ATAK/iTAK as OIDC user Set ATAK password under Account in the web app.
Reference in New Issue View Git Blame Copy Permalink