Authentication Configuration Guide
March 27, 2026 ยท View on GitHub
This directory contains comprehensive guides for configuring user authentication with the ATT&CK Workbench REST API using OpenID Connect (OIDC).
Overview
The ATT&CK Workbench REST API supports two user authentication mechanisms:
- Anonymous: No authentication required (default, suitable for local development)
- OIDC: OpenID Connect authentication with an external identity provider (recommended for production)
This documentation focuses on OIDC configuration with popular identity providers.
Supported Identity Providers
The REST API is compatible with any OIDC-compliant identity provider. We provide detailed setup guides for:
- Authentik - Open-source identity provider
- Keycloak - Open-source identity and access management
- Okta - Enterprise identity and access management service
Quick Start
Basic OIDC Configuration
All OIDC providers require the following environment variables in your .env file:
# Enable OIDC authentication
AUTHN_MECHANISM=oidc
# OIDC provider settings
AUTHN_OIDC_ISSUER_URL=<your-issuer-url>
AUTHN_OIDC_CLIENT_ID=<your-client-id>
AUTHN_OIDC_CLIENT_SECRET=<your-client-secret>
AUTHN_OIDC_REDIRECT_ORIGIN=<your-workbench-url>
Required OIDC Scopes
The REST API requires these OIDC scopes:
openid(required)email(required)profile(required)
Required Claims
The REST API expects these claims in the ID token:
email- User's email address (used as unique identifier)preferred_username- Usernamename- User's display name
Multiple Environments
If you're running multiple instances (e.g., local development and production), each instance needs its own AUTHN_OIDC_REDIRECT_ORIGIN value, but can share the same Client ID and Secret.
Example:
- Local:
AUTHN_OIDC_REDIRECT_ORIGIN=http://localhost:3000 - Production:
AUTHN_OIDC_REDIRECT_ORIGIN=https://workbench.example.com
In your OIDC provider, configure all redirect URIs:
http://localhost:3000/api/authn/oidc/callbackhttps://workbench.example.com/api/authn/oidc/callback
Service Authentication
For service-to-service communication, the REST API supports three methods:
- API Key Challenge Authentication: Services obtain a JWT using a challenge-response protocol
- API Key Basic Authentication: Services authenticate using HTTP Basic Authentication
- OIDC Client Credentials Flow: Services obtain a JWT from an OIDC provider
User Management
After configuring OIDC, users who log in will be authenticated but will not have any permissions until you create a user account for them in the Workbench.
User Roles
admin- Full access to all featureseditor- Can create and edit objectsvisitor- Read-only accessteam_lead- Editor permissions with team management features
Creating User Accounts
- Have the user log in once (they will see "User not registered" message)
- Create a user account via the REST API or frontend
- Assign appropriate role
- User logs in again and will have assigned permissions
See User Management for detailed instructions.
Troubleshooting
Common Issues
"Invalid redirect URI" error
- Verify the redirect URI in your OIDC provider exactly matches:
<REDIRECT_ORIGIN>/api/authn/oidc/callback - Check that the protocol (http/https) matches
"Invalid issuer" error
- Ensure
AUTHN_OIDC_ISSUER_URLis correct and accessible from the REST API server - Verify the issuer URL includes the correct path (some providers require specific paths)
User authenticated but has no permissions
- Create a user account in the Workbench database
- Verify the email in the user account matches the email claim from the OIDC provider
Claims missing from token
- Check that your OIDC provider is configured to include
email,preferred_username, andnamein the ID token - Verify the scopes include
openid,email, andprofile