Authentication Flows
How the Shell handles authentication with Ory Kratos, Hydra, and OpenFGA.
Authentication Architecture
TODO: Add authentication flow diagram
User Login Flow
TODO: Document login flow:
- User accesses Shell
- Shell checks for Kratos session cookie
- If not authenticated, redirect to Kratos login UI
- User enters credentials
- Kratos validates and creates session
- Kratos redirects back to Shell with session cookie
- Shell validates session with AppServer
- AppServer checks permissions via OpenFGA
- User logged in and sees platform
Session Validation
TODO: Document session validation:
- Cookie-based sessions
- Session validation with AppServer
- Permission loading
- Session refresh
Logout Flow
TODO: Document logout flow:
- User clicks logout
- Shell calls
/api/host/logout - Kratos session invalidated
- Session cookie removed
- User redirected to login
OAuth2/OIDC Flows
TODO: Document OAuth2 flows with Hydra:
- Authorization code flow
- Consent screen
- Token exchange
Permission Checking
TODO: Document permission checking in Shell:
- Route guards
- Component-level checks
- API-level checks