Authentication
Local users, OAuth2/OIDC, enterprise SSO, and role-based access control.
Authentication in Open Gauge is designed to be self-hostable end to end — including in fully offline / air-gapped environments — and is never coupled to a cloud-only provider.
Supported authentication modes
- Local users and passwords — the default for small self-hosted installations. Works fully offline; no external dependency.
- OAuth2 / OpenID Connect — for organizations that already run an identity provider.
- Enterprise SSO — via an OIDC-compatible provider. Keycloak is the recommended choice for enterprise deployments that want self-hosted SSO without depending on a cloud identity service.
Authentication sits behind a clear abstraction layer in the backend, so a deployment can move from local auth to Keycloak (or another OIDC provider) without changing any business logic elsewhere in Open Gauge.
Roles (RBAC)
Every user has exactly one role, which governs what they can see and change:
| Role | Typical use |
|---|---|
viewer | Read-only access — browse assets, calibrations, and certificates. |
technician | Day-to-day operational work: add sensors, run calibrations, update locations. |
admin | Organization administration: manage users, teams, procedures. |
superadmin | System-level administration across organizations. |
Protected endpoints reject unauthenticated requests, and role checks are enforced on the backend (not just hidden in the UI) — see the Auth and Admin sections of the API Reference for the exact endpoints each role can reach.
Profile picture
Every user can set a profile picture from Settings → Profile. It appears in the circular
avatar in the top-right of the top bar and on the user's profile page (/users/{id}, reached by
clicking a name anywhere it's mentioned — audit logs, activity, etc.). Users without a picture
fall back to their initials. Uploads are limited to image files under 5MB and are stored in
MinIO like any other attached file (see Data model & concepts).
Session tokens
Once authenticated, the frontend and any API client carry a session token on subsequent requests. See Auth in the API Reference for the exact login/refresh/logout endpoints and payload shapes.