Authentication¶

Overview¶

Authentication verifies the identity of a user attempting to access the VitalBridge platform.

Authentication is performed exclusively by Keycloak.

Domain services never authenticate users directly.

Authentication Flow¶

sequenceDiagram

    participant User

    participant Keycloak

    participant Gateway

    participant Service

    User->>Keycloak: Login

    Keycloak-->>User: JWT Access Token

    User->>Gateway: Request + JWT

    Gateway->>Gateway: Validate Token

    Gateway->>Service: Forward Request

    Service-->>User: Response

Hold "Alt" / "Option" to enable pan & zoom

JWT Access Tokens¶

After successful authentication, Keycloak issues a JWT access token.

flowchart TB

    JWT["JWT Token"]

    USER["User ID"]

    TENANT["Tenant ID"]

    ROLE["Role"]

    EMAIL["Email"]

    JWT --> USER

    JWT --> TENANT

    JWT --> ROLE

    JWT --> EMAIL

Hold "Alt" / "Option" to enable pan & zoom

Request Processing¶

flowchart LR

    REQUEST["Incoming Request"]

    TOKEN["Validate Token"]

    TENANT["Extract Tenant Context"]

    ROUTE["Route Request"]

    REQUEST --> TOKEN

    TOKEN --> TENANT

    TENANT --> ROUTE

Hold "Alt" / "Option" to enable pan & zoom

Authentication Principles¶

All requests must be authenticated.
JWT tokens must be valid.
Expired tokens are rejected.
Tenant context must be available.
Domain services trust only validated tokens.