Skip to content

Authentication and Security

Overview

The Jaxon platform uses Authentik as its identity provider for all authentication and authorization. Authentik provides OAuth2/OIDC-based single sign-on and user management through a dedicated admin portal.

Logging In

  1. Navigate to the platform URL in a browser.
  2. The browser redirects to the Authentik login page.
  3. Enter credentials and complete the login flow.
  4. Once authenticated, the browser redirects back to the platform with the session active.

Sessions expire automatically after a configured period. When this happens, the browser redirects to the login page again.

Security Groups

Access within the platform is organized by Authentik security groups. Groups function as teams -- they own assets at a project level. Users can belong to one or more groups, and platform resources (documents, rulesets, datasets, runs) are scoped to the group that created them.

Groups are not tied to fixed permission levels. Organizations define groups based on team structure (e.g., by department, project, or compliance area). The X-Jaxon-Active-Group header in API requests determines which group context is active for a given operation.

API Authentication

The REST API supports two authentication methods, depending on the context:

Jaxon UI (browser-based)

The Jaxon web application authenticates users via OAuth 2.0 Authorization Code with PKCE. When a user logs in through the UI, the browser performs the PKCE flow against Authentik to obtain an access token. The UI then includes this token in all API requests on behalf of the logged-in user. This flow is handled automatically by the UI and requires no manual configuration.

Standalone API Access (programmatic)

For programmatic or service-to-service access outside the UI, the API uses OAuth 2.0 Client Credentials Grant. A platform administrator creates a service account in Authentik and issues an API key. The API key is exchanged for a JWT access token, which is then included in API requests along with the X-Jaxon-Active-Group header. See API Reference for the full authentication flow, curl examples, and required headers.

Administrator Access

Administrators manage users, groups, and security configuration through the Authentik admin portal at <host>/if/admin/.

Administrators are responsible for:

  • Creating and maintaining user accounts
  • Creating and managing security groups
  • Assigning users to groups
  • Managing service accounts for automation
  • Configuring authentication policies

Managing Users

  1. Log in to the Authentik admin portal.
  2. Navigate to Directory > Users.
  3. Click Create to add a new user, or select an existing user to modify.

Managing Groups

  1. Navigate to Directory > Groups.
  2. Select a group or create a new one.
  3. Under the Members tab, add or remove users.

Assigning Users to Groups

Every user (including service accounts) must be assigned to at least one group before they can use the platform. The X-Jaxon-Active-Group header is required on all API requests, and the UI provides a group dropdown where the active group can be selected. The dropdown defaults to the first group in alphabetical order. A user without any group membership cannot access any platform functionality.

Group membership determines which assets are visible and accessible. Documents, rulesets, datasets, runs, and other resources are scoped to the group that created them. A user only sees assets belonging to the currently active group.

The auditor group is a special case. Members of the auditor group have read-only access to the activity log across all groups, enabling compliance review and audit oversight without requiring membership in each individual group.

To assign a user to a group:

  1. Log in to the Authentik admin portal.
  2. Navigate to Directory > Groups and select the target group.
  3. Select the Members tab.
  4. Click Add existing user and search for the user to add.
  5. Click Add to confirm.

Alternatively, from the user side:

  1. Navigate to Directory > Users and select the user.
  2. Select the Groups tab.
  3. Click Add to existing group and select the target group.

Changes take effect immediately. Users may need to log out and back in to refresh group memberships.