Keycloak
Keycloak is the central identity provider for the Cogrion platform. Every login and every service-to-service call is authenticated through it. No service issues or validates its own tokens.
Realm Per Tenant
Each tenant organization gets its own isolated Keycloak realm. Realms are the primary identity boundary: users, roles, clients, and sessions in one realm are completely invisible to another. A user from Organisation A cannot authenticate against Organisation B's realm.
When a user opens the Cogrion UI, they identify which organisation they belong to. The UI selects the correct realm before initiating the login flow.
Clients and Platform Stacks
Each application running in a tenant cluster — Superset, Airflow, JupyterHub — is registered as a Keycloak client within the tenant's realm. This is how the platform controls which applications can receive tokens and which scopes those tokens carry.
When a new stack is deployed, the platform registers the corresponding Keycloak client automatically. The BFF API uses these client registrations to perform token exchange — translating the user's session token into a service-specific token scoped to the target application.
Token Lifecycle
| Stage | What Happens |
|---|---|
| Login | User authenticates via Keycloak browser flow. Keycloak issues an access token and refresh token. |
| API Request | The Cogrion UI attaches the access token to every outbound request. |
| Token Exchange | The BFF receives the request, validates the token, then exchanges it for a narrower token scoped to the target backend service. |
| Service Call | The backend service (Superset, Airflow, etc.) receives only the exchanged token scoped to itself. |
Go Deeper
- Security → Authentication and Authorization in the Cogrion UI
- Security → How the Control Plane Validates Requests
- Security → Token Exchange and Data Access