Skip to main content

Identity Service

The OctoMesh Identity Service provides centralized authentication and authorization for the entire platform. It supports OAuth 2.0 and OpenID Connect protocols.

Core Capabilities

  • Multi-tenant isolation — each tenant has its own users, roles, groups, clients, and identity providers
  • Multiple authentication methods — local passwords, OAuth providers (Google, Microsoft, Facebook), Azure Entra ID, OpenLDAP, Active Directory, and cross-tenant authentication
  • Role-based access control (RBAC) — users are assigned roles either directly or through group membership
  • Group management — organizational units that bundle roles and support nesting
  • Cross-tenant authentication — parent tenants can authenticate users in child tenants
  • Automatic group assignment — email domain rules and default provider groups for self-registering users

Architecture

The Identity Service runs as an independent service. Every API request is scoped to a tenant via the {tenantId} route prefix:

https://<identity-host>/{tenantId}/v1/<resource>

Each tenant stores its data in a dedicated MongoDB database managed by the OctoMesh Runtime Engine.

Default Configuration

When a new tenant is created, the Identity Service automatically provisions:

ResourceDetails
10 default rolesTenantManagement, UserManagement, CommunicationManagement, Development, AdminPanelManagement, BotManagement, DashboardManagement, DashboardViewer, ReportingManagement, ReportingViewer
TenantOwners groupContains all 10 default roles
API scopesocto_api (full access), octo_api.read_only (read-only)
Identity resourcesOpenId, Profile, Email, plus a custom role resource
Identity providersGoogle and Microsoft (disabled by default) — system tenant only. Child tenants receive an OctoTenant provider pointing to the parent tenant instead.