Skip to main content
Version: v0.25.0 (Latest)

Operator Sign-in

Platform administration calls, from tenant registration onward, carry a bearer token for the platform operator. Setup creates or reconciles the platform tenant, its hosted authorization server, and the operator account before the setup gate closes. This page shows how the operator obtains the token after the issued license has been installed.

The operator account

First-run setup provisions the operator account from the values posted to /api/platform/setup/v1/bootstrap. Full mounted-bootstrap deployments can seed the same values from platform.onboarding.operator.*. A license-only offline mount does not create this account; use the onboarding web interface or setup REST API to create the operator before sign-in. Offline license resources are valid for production as well as evaluation and development. The mounted initial credential is the dev-mode-only part: development deployments may use it as a break-glass credential, while production deployments use the normal account activation flow.

After the license is active and the account exists, the normal operator entry point is:

https://platform.<base-domain>/admin-console

For example, a deployment on example.com uses https://platform.example.com/admin-console.

The client

The operator authenticates with the OAuth2 authorization code flow with PKCE, through a public client registered in the AS configuration under oauth2.clients.<id>. A public client has a token-endpoint-auth-method of none: it holds no client secret, and PKCE binds the authorization code to the party that started the flow. This suits both command-line tooling and browser-based admin frontends, since neither can keep a secret.

The flow

The same chain of requests below is what a browser performs when a person signs in interactively, and what the provisioning scripts run headlessly.

The client opens the authorization endpoint with a PKCE challenge. The AS responds with a redirect to its hosted login page:

01 Start authorization request

Endpoint: GET /authorize

Captured response: 302 Found

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

The login page is a plain HTML form served by the AS. The hidden fields carry the authorization session, so the form post resumes the right flow:

02 Open login page

Endpoint: GET /login

Captured response: 200 OK

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

Submitting the operator username and password validates the credentials against the platform tenant's identity store and redirects back into the authorization flow:

03 Submit operator credentials

Endpoint: POST /login

Captured response: 302 Found

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

The callback completes the authorization request and redirects to the client's registered redirect URI with the authorization code:

04 Resume authorization callback

Endpoint: GET /authorize/callback

Captured response: 302 Found

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

The client exchanges the code at the token endpoint, presenting the PKCE verifier:

05 Exchange code for operator token

Endpoint: POST /token

Captured response: 200 OK

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

The token

The access token is an RFC 9068 JWT. Two claims matter for platform administration:

  • roles is the RFC 9068 authorization claim and includes platform-admin for the operator.
  • tenant_id identifies the platform tenant the token is bound to.

Platform-admin endpoints validate the bearer token against the authorization server's JWKS and bind the session to the token's tenant. The endpoints this token is used against are documented in the Platform Admin API reference.

With the operator token in hand, continue with registering the first tenant.