Skip to content

feat: Service accounts #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yuvrajjsingh0 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Service accounts #306

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6f8c205
feat: migration to OIDC and provider based admin apis
yuvrajjsingh0 Mar 30, 2026
5b79864
feat: casbin
yuvrajjsingh0 Apr 2, 2026
7898867
feat: service accounts
yuvrajjsingh0 Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 40 additions & 13 deletions API_DOCUMENTATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ x-organisation: <organisation_name>
x-application: <application_name>
```

AuthZ subject resolution is email-based. Tokens missing an email claim are rejected on protected routes.

---

## 1. Authentication Endpoints
Expand All @@ -25,6 +27,7 @@ x-application: <application_name>
**Endpoint:** `POST /users/login`

**Description:** Authenticates a user and returns a JWT token along with user details.
When the configured AuthN provider does not support password login, this endpoint returns `400 Bad Request`.

**Headers:**
```json
Expand Down Expand Up @@ -125,6 +128,7 @@ x-application: <application_name>
**Endpoint:** `POST /users/create`

**Description:** Creates a new user account.
Registration is supported only when `AUTHN_PROVIDER=keycloak`; otherwise this endpoint returns `400 Bad Request`.

**Headers:**
```json
Expand All @@ -145,9 +149,21 @@ x-application: <application_name>
"password": {
"type": "string",
"description": "User password"
},
"first_name": {
"type": "string",
"description": "User first name (required for Keycloak signup)"
},
"last_name": {
"type": "string",
"description": "User last name (required for Keycloak signup)"
},
"email": {
"type": "string",
"description": "User email (required for Keycloak signup)"
}
},
"required": ["name", "password"]
"required": ["name", "password", "first_name", "last_name", "email"]
}
```

Expand All @@ -156,7 +172,11 @@ x-application: <application_name>
### 1.3 Get OAuth URL
**Endpoint:** `GET /users/oauth/url`

**Description:** Gets the OAuth URL for Google Sign-in (if enabled).
**Description:** Gets the OIDC/OAuth authorization URL for the configured AuthN provider.

**Query Parameters:**
- `offline` (optional, boolean): when `true`, requests offline access (refresh token flow for PAT generation).
- `idp` (optional, string): OIDC provider hint (for Keycloak this maps to `kc_idp_hint`, for example `google` or `github`).

**Headers:**
```json
Expand All @@ -172,7 +192,7 @@ x-application: <application_name>
"properties": {
"auth_url": {
"type": "string",
"description": "Google OAuth authorization URL"
"description": "OIDC/OAuth authorization URL"
},
"state": {
"type": "string",
Expand All @@ -185,7 +205,7 @@ x-application: <application_name>
### 1.4 OAuth Login
**Endpoint:** `POST /users/oauth/login`

**Description:** Completes OAuth login flow with authorization code.
**Description:** Completes OIDC/OAuth login flow with authorization code.

**Headers:**
```json
Expand Down Expand Up @@ -217,7 +237,8 @@ x-application: <application_name>
### 1.5 OAuth Signup
**Endpoint:** `POST /users/oauth/signup`

**Description:** Completes OAuth signup flow with authorization code.
**Description:** Completes OIDC/OAuth signup flow with authorization code.
Signup is provider-capability gated and in v1 is supported only for `AUTHN_PROVIDER=keycloak`.

**Headers:**
```json
Expand Down Expand Up @@ -540,7 +561,7 @@ x-application: <application_name>
"properties": {
"user": {
"type": "string",
"description": "Username to add"
"description": "User email to add"
},
"access": {
"type": "string",
Expand Down Expand Up @@ -588,7 +609,7 @@ x-application: <application_name>
"properties": {
"user": {
"type": "string",
"description": "Username to update"
"description": "User email to update"
},
"access": {
"type": "string",
Expand Down Expand Up @@ -636,7 +657,7 @@ x-application: <application_name>
"properties": {
"user": {
"type": "string",
"description": "Username to remove"
"description": "User email to remove"
}
},
"required": ["user"]
Expand All @@ -659,7 +680,7 @@ x-application: <application_name>
```

### 4.4 List Organisation Users
**Endpoint:** `GET /organisation/user`
**Endpoint:** `GET /organisation/user/list`

**Description:** Lists all users in an organisation with their access levels.

Expand All @@ -682,11 +703,17 @@ x-application: <application_name>
"items": {
"type": "object",
"properties": {
"user": {
"username": {
"type": "string"
},
"access": {
"type": "string"
"email": {
"type": ["string", "null"]
},
"roles": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
Expand Down Expand Up @@ -2319,7 +2346,7 @@ All endpoints may return the following error responses:

6. **Search**: File listing supports search functionality via the `search` query parameter.

7. **OAuth**: Google OAuth endpoints are only available when `ENABLE_GOOGLE_SIGNIN` is set to `true`.
7. **OAuth**: OIDC OAuth endpoints are available when OIDC login is enabled; Keycloak IdP options are controlled by `OIDC_ENABLED_IDPS`.

8. **Organization Creation**: The `/organisations/request` endpoint is used when `ORGANISATION_CREATION_DISABLED` is `true`.

Expand Down
Loading
Loading