This page includes all the security-related items of Atomik like user management, API authentication and Access Tokens.
Local user management
Atomik has a module for internal user management. Users can be systems administrators or API users. Administrators are users that have access to the Web Console. API users only have access via the REST API, and need to provide their credentials via the auth endpoint to get an access token and use the other services with that access token.
External user management
A user, role and permissions management is called Identity Provider (IDP). It is possible to integrate external tools to manage users and roles in Atomik. Identity Providers also implement different authentication methods, for instance OAuth.
This would be useful for companies that want to centralize user management and authentication servers, instead of managing users locally on each system. For such implementation we recommend using Keycloak.
Keycloak is an open-source identity and access management solution that provides authentication, authorization, and single sign-on capabilities for web and mobile applications. Some of the key characteristics of Keycloak that make it a great choice for securing your system's resources include:
- User Management: Keycloak provides user management capabilities such as user registration, password reset, and multi-factor authentication. It allows users to authenticate with their preferred social media or third-party authentication providers like Google, Facebook, and GitHub.
- Role-Based Access Control: With Keycloak, you can set up role-based access control (RBAC) policies to determine which users have access to which resources within your system. This feature can help you ensure that only authorized users can access sensitive information.
- Single Sign-On: Keycloak supports single sign-on (SSO), which means that once a user logs in to your system, they can access other applications that also use Keycloak without having to log in again.
- Customizable Authentication Flows: Keycloak allows you to customize the authentication flows for your users, which means that you can set up a custom login experience that matches your system's requirements.
- Multi-Tenancy: Keycloak supports multi-tenancy, which means that you can use a single instance of Keycloak to manage multiple applications or tenants. This feature can help you streamline your system's authentication and authorization process.
Overall, Keycloak is a powerful and flexible Identity Provider that can help you secure your system's resources and user data. By using Keycloak with Atomik, you can ensure that your users have a secure and reliable authentication and authorization experience, all externally managed.
REST API Access Tokens
In some occasions, users can't authenticate directly into Atomik's REST API because users are managed in an external application. In Atomik, managers can create app access tokens that should be securely configured in external applications that will access the REST API. So the access token works at the application level, not at the user level, and Atomik delegates the user authentication and authorization to such application, trusting the application.
At any time, an administrator can revoke/delete the access token, then any access using that token won't be allowed.
To authenticate a user from the REST API, we have a specific auth endpoint. The user should provide his/her credentials, and if those are validated by Atomik, the HTTP Response will include a JWT that should be used in the Authentication HTTP Request header of subsequent requests.
These access tokens will expire automatically in 24 hours. This expiration period can be configured. If a request is received with an expired token, Atomik's REST API will return an error and the user should authenticate again to get a new token.
Web Console Authentication
The Web Console has a normal username and password authentication screen. Extra security measures can be configured, like a captcha (we use Google's reCaptcha) or 2-factor authentication with one time passwords generated by a mobile app. Customers can ask for those extra configurations.