Authentication & Authorization
BoilStream provides enterprise-grade JWT-based authentication and fine-grained authorization to secure your data streaming operations. The system supports multiple identity providers and implements a flexible 3-level authorization hierarchy.
Overview
BoilStream's security model consists of two main components:
- Authentication: Verifying user identity using JWT tokens from trusted providers
- Authorization: Controlling access to resources based on user groups, scopes, and identity
Supported Identity Providers
BoilStream supports the following enterprise SSO providers:
| Provider | Status | Multi-tenant | Custom Claims |
|---|---|---|---|
| AWS Cognito | ✅ Production Ready | No | Limited |
| Azure AD (Entra ID) | ✅ Production Ready | ✅ Yes | Yes |
| Google Cloud Platform | ✅ Production Ready | ✅ Workspace | ✅ Configurable |
| Auth0 | ✅ Production Ready | ✅ Yes | ✅ Configurable |
| Okta | ✅ Production Ready | ✅ Yes | ✅ Configurable |
3-Level Authorization Hierarchy
BoilStream implements a prioritized authorization system with three levels:
Level 1: Groups/Roles (Highest Priority)
- Primary authorization mechanism
- Provider-specific group mappings
- Admin, read-only, and write groups
Level 2: Scopes/Permissions (API-level)
- OAuth 2.0 style scopes for API access
- Fine-grained operation control
- Can require specific scopes for read/write/admin operations
Level 3: User Identity (User-specific)
- Individual user access rules
- Topic-specific permissions
- Lowest priority, used for edge cases
Security Features
JWT Token Validation
- Signature Verification: RSA/ECDSA signature validation using JWKS
- Claims Validation: Issuer, audience, expiration, and custom claims
- JWKS Caching: Automatic key rotation support with TTL-based caching
Access Control
- Resource-based Authorization: Control access to topics, admin functions, metrics
- Action-based Permissions: Separate read, write, publish, subscribe, admin actions
- Topic-level Security: Fine-grained per-topic access control
Production Security
- TLS Encryption: All FlightRPC communications encrypted in transit
- Audit Logging: Comprehensive authentication and authorization logging
- Graceful Degradation: System works with authentication disabled for development
When to Use Authentication
Enable Authentication When:
- ✅ Running in production environments
- ✅ Multi-tenant deployments
- ✅ Compliance requirements (SOC2, GDPR, etc.)
- ✅ Sensitive data processing
- ✅ External client access
Skip Authentication When:
- ⚠️ Development and testing environments
- ⚠️ Internal, trusted network deployments
- ⚠️ Single-user scenarios
- ⚠️ Performance testing (reduces overhead)
Security Consideration
Always enable authentication in production environments. Running without authentication exposes all data and administrative functions to any network client.
Configuration Overview
Authentication is configured entirely through environment variables, making it ideal for containerized deployments:
# Enable authentication with multiple providers
AUTH_PROVIDERS="cognito,azure-ad,gcp"
# Configure authorization rules
ADMIN_GROUPS="boilstream-admins,data-engineers"
READ_ONLY_GROUPS="analysts,viewers"
WRITE_GROUPS="producers,data-writers"Quick Start
For a complete setup example, see our provider-specific guides:
- AWS Cognito Setup - Enterprise user pools
- Azure AD Setup - Microsoft 365 integration
- Google Cloud Setup - Workspace and Cloud Identity
- Auth0 Setup - Universal identity platform
- Okta Setup - Enterprise identity and access management
Next Steps
- Choose Your Provider: Select the identity provider that matches your organization
- Configure Environment Variables: Set up authentication credentials and rules
- Test Authentication: Verify JWT tokens are properly validated
- Deploy with Security: Enable TLS and proper network security
Ready to secure your BoilStream deployment? Start with the Environment Variables guide to understand all configuration options.