Authentication

When run in production mode the Alumio API requires users to authenticate. The Google Sign-in service is used for this.

A whitelist of email address domains is used to grant user access to the API. These can be configured in the .env file of Alumio. Furthermore specific users can be granted access by adding their email address. This can be done from the dashboard or from the command line by using the users:create action.

Local development

When Alumio runs in developer mode the authentication is completely disabled and the API is freely available. To enabled development mode, add the following line to your .env.local file: MAGEMENT_ENV=dev

Setup authentication

Create a new OAuth2 application from the Google Cloud console. Configure at least the following settings.

  • Authorized Javascript host:
    • The domain where Alumio is hosted
  • Authorized redirect URL
    • Domain where Alumio is hosted plus /authentication/redirect. E.g. https://alumio.example.org/authentication.redirect.

Create server environment variables called GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET to store the client id and client secret of the Google OAUth2 application.

Configure Alumio

The .env.local file from Alumio may contain the following settings that are used to configure the authentication.

  • MAGEMENT_OAUTH2_HOST:

    • The URL of the current Alumio environment
  • MAGEMENT_OAUTH2_REDIRECT_URL:

    • The URL users are redirected to after they are authenticated. Enter the URL of the dashboard.
  • MAGEMENT_OAUTH2_WHITELISTED_DOMAINS:

    • Array of domains that are allowed to access Alumio.