Authentication in Alginte is optional and off by default, matching its
localhost-first trust model. When Alginte is reachable by more than a single trusted
operator, turn a login on.
Without a login and without a network boundary, anyone who can reach the UI has full
control of every connected Kafka cluster. Enable a login or keep Alginte behind a
reverse proxy with network allow-listing (ideally both).
Username / password
The simplest option is a single form-login account, set via environment variables (no
profile required):
With these set, Alginte presents a login screen and requires the credentials before any
cluster access.
OIDC (single sign-on)
Alginte also supports OpenID Connect login against an external identity provider
(Keycloak, and other standard OIDC providers), with an allowlist controlling which
authenticated users are admitted. This lets you delegate identity to your existing SSO
instead of managing a local credential.
See OIDC provider setup for the full guide: what to register
at the provider, the property block, the mandatory allowlist, per-provider
walkthroughs (Keycloak, Google, Microsoft Entra ID, Okta), reverse-proxy notes, and
troubleshooting.
Logout
Once a login is enabled, the signed-in user is shown in the UI with a Sign out
action that ends the session.