Authentication & RBAC
Artifact Keeper provides comprehensive authentication and authorization features to secure your artifact registry.
Authentication Methods
JWT-Based Authentication
Artifact Keeper uses JSON Web Tokens (JWT) for stateless authentication:
- Access tokens: Short-lived tokens (default 15 minutes) for API requests
- Refresh tokens: Long-lived tokens (default 7 days) to obtain new access tokens
- Tokens are signed with HS256 using the
JWT_SECRETenvironment variable
Login Flow
# Login to get tokenscurl -X POST https://registry.example.com/api/v1/auth/login \ -H "Content-Type: application/json" \ -d '{"username": "admin", "password": "admin"}'
# Response includes access_token and refresh_token{ "access_token": "eyJhbGc...", "refresh_token": "eyJhbGc...", "expires_in": 900}
# Use access token in subsequent requestscurl -H "Authorization: Bearer eyJhbGc..." \ https://registry.example.com/api/v1/repositoriesToken Refresh
# Refresh access token before expirationcurl -X POST https://registry.example.com/api/v1/auth/refresh \ -H "Content-Type: application/json" \ -d '{"refresh_token": "eyJhbGc..."}'API Tokens
API tokens provide programmatic access without username/password:
- Scoped to specific repositories or operations
- Support expiration dates
- Can be revoked individually
- Ideal for CI/CD pipelines
# Create API tokencurl -X POST https://registry.example.com/api/v1/users/me/tokens \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "CI Pipeline Token", "scopes": ["repository:read", "repository:write"], "expires_at": "2027-12-31T23:59:59Z" }'
# Use API tokencurl -H "Authorization: Bearer $API_TOKEN" \ https://registry.example.com/api/v1/packagesDefault Credentials
The system ships with default administrator credentials:
- Username:
admin - Password:
admin
Important: You must change the default password on first login. The system will enforce this requirement.
Role-Based Access Control (RBAC)
Artifact Keeper implements three built-in roles:
Admin Role
Full system access including:
- User and group management
- Repository creation and deletion
- Security policy configuration
- System settings and backups
- Plugin management
User Role
Standard user permissions:
- Upload and download artifacts (where granted)
- Create repositories (if enabled)
- View security scan results
- Manage own API tokens
Viewer Role
Read-only access:
- Browse and download artifacts (where granted)
- View repository metadata
- View security scan results
- Cannot upload or modify data
Repository-Level Permissions
Fine-grained permissions can be assigned at the repository level:
Permission Types
- Read: Download artifacts, view metadata
- Write: Upload artifacts, update metadata
- Delete: Remove artifacts
- Admin: Full repository control including permissions
Assigning Permissions
# Grant user write access to repositorycurl -X POST https://registry.example.com/api/v1/permissions \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "repository_id": "repo-123", "user_id": "user-456", "permissions": ["read", "write"] }'
# Grant group permissionscurl -X POST https://registry.example.com/api/v1/permissions \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "repository_id": "repo-123", "group_id": "group-789", "permissions": ["read"] }'Groups
Organize users into groups for easier permission management:
# Create groupcurl -X POST https://registry.example.com/api/v1/groups \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "name": "developers", "description": "Development team" }'
# Add users to groupcurl -X POST https://registry.example.com/api/v1/groups/group-789/members \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "user_ids": ["user-456", "user-890"] }'LDAP Integration
Integrate with your existing LDAP directory for centralized authentication:
Configuration
Set these environment variables:
LDAP_URL=ldap://ldap.example.com:389LDAP_BASE_DN=dc=example,dc=comLDAP_BIND_DN=cn=admin,dc=example,dc=comLDAP_BIND_PASSWORD=secretLDAP_USER_FILTER=(uid={username})LDAP_SYNC_INTERVAL=3600 # Sync every hourHow It Works
- User attempts login with LDAP credentials
- Artifact Keeper binds to LDAP server
- User DN is resolved using
LDAP_USER_FILTER - Authentication is verified against LDAP
- User is created locally if first login
- JWT tokens are issued for API access
Group Synchronization
LDAP groups can be mapped to Artifact Keeper groups:
LDAP_GROUP_FILTER=(memberUid={username})LDAP_GROUP_BASE_DN=ou=groups,dc=example,dc=comLDAP_GROUP_ATTRIBUTE=cnOIDC/SSO Integration
Support for OpenID Connect (OIDC) enables SSO with providers like:
- Okta
- Auth0
- Keycloak
- Azure AD
- Google Workspace
Configuration
OIDC_ISSUER=https://accounts.google.comOIDC_CLIENT_ID=your-client-id.apps.googleusercontent.comOIDC_CLIENT_SECRET=your-client-secretOIDC_REDIRECT_URI=https://registry.example.com/api/v1/auth/oidc/callbackOIDC_SCOPES=openid,email,profileAuthorization Code Flow
- User clicks “Login with SSO” in web UI
- Redirected to OIDC provider
- User authenticates with provider
- Provider redirects back with authorization code
- Artifact Keeper exchanges code for ID token
- User is created/updated locally
- JWT access and refresh tokens issued
Claims Mapping
Map OIDC claims to user attributes:
OIDC_USERNAME_CLAIM=preferred_usernameOIDC_EMAIL_CLAIM=emailOIDC_NAME_CLAIM=nameOIDC_GROUPS_CLAIM=groupsSecurity Best Practices
Strong JWT Secrets
Generate a cryptographically secure secret:
openssl rand -base64 64Set in environment:
JWT_SECRET=your-generated-secretToken Expiration
Configure appropriate token lifetimes:
JWT_ACCESS_TOKEN_EXPIRY=900 # 15 minutesJWT_REFRESH_TOKEN_EXPIRY=604800 # 7 daysHTTPS Only
Always use HTTPS in production:
REQUIRE_HTTPS=trueRate Limiting
Protect against brute force attacks:
RATE_LIMIT_LOGIN=5 # Max 5 login attemptsRATE_LIMIT_WINDOW=300 # Per 5 minutesAudit Logging
Enable comprehensive audit logs:
AUDIT_LOG_ENABLED=trueAUDIT_LOG_PATH=/var/log/artifact-keeper/audit.logTroubleshooting
Token Validation Failures
Check that JWT_SECRET matches across all backend instances.
LDAP Connection Issues
Test LDAP connectivity:
ldapsearch -x -H $LDAP_URL -b $LDAP_BASE_DN -D $LDAP_BIND_DN -w $LDAP_BIND_PASSWORDOIDC Configuration
Verify redirect URI is registered with your OIDC provider and matches OIDC_REDIRECT_URI exactly.