Authentication in the Cogrion UI
This page covers how a user authenticates when opening the Cogrion UI and how that identity is carried through subsequent requests.
Login Flow
- The user opens the Cogrion UI and enters their organisation identifier.
- The UI uses the organisation identifier to select the correct Keycloak realm.
- The UI redirects to the Keycloak login page for that realm.
- The user authenticates (username/password, SSO, or MFA depending on realm configuration).
- Keycloak issues an access token and refresh token and redirects back to the UI.
- The UI stores the access token and attaches it to every outbound API request.
Token Validation
Every request the UI makes — to the Control Plane or through the BFF — must carry a valid access token. The receiving service validates the token against Keycloak before processing the request.
Role-Based Access in the UI
Roles are embedded as claims inside the Keycloak token. The Cogrion UI reads these claims to determine which features are visible and which actions are permitted for the current user.
| Role | Access Level |
|---|---|
platform_admin | Full platform access |
tenant_admin | Tenant-level administration |
data_engineer | Pipelines, workflows, catalog, SQL |
ml_engineer | ML experiments, models, features, AI Gateway |
data_analyst | SQL Lab, queries, dashboards |
business_user | Read-only dashboard access |