Concepts and Background

Enterprise

Bacula Enterprise Only

This solution is only available for Bacula Enterprise. For subscription inquiries, please reach out to sales@baculasystems.com.

This section provides the essential terminology used throughout the OAuth2/OIDC configuration process so that the configuration steps are easier to map to your identity provider.

Introduction to Identity Providers and IAM

An identity provider (IdP) manages user identities and authentication. It verifies who a user is and issues tokens that applications can trust. Many IdPs also provide Single Sign-On (SSO) services and directory integration.

An identity manager or Identity and Access Management (IAM) system covers a broader scope, including the lifecycle of identities, access policies, and permissions across applications. IdPs are a core part of IAM, but IAM systems generally include provisioning, deprovisioning, access audits, and policy enforcement in addition to authentication.

Introduction to OAuth 2.0

OAuth 2.0 is an industry-standard authorization protocol that allows applications to access user resources without exposing user credentials. In the context of BWeb, OAuth 2.0 is used to delegate authentication to a trusted IdP and receive authorization data (tokens and claims) that BWeb can interpret.

Core Concepts

• Resource Owner: The user who authorizes access to their resources.

• Client: The application requesting access. In this case, BWeb.

• Authorization Server: Authenticates the user and issues tokens. This is the IdP.

• Resource Server: Validates access tokens and provides protected resources.

• Access Token: Short-lived credential used to access protected resources.

• Refresh Token (optional): Long-lived credential used to obtain new access tokens without re-authenticating the user.

Common Grant Types

• Authorization Code Grant: Standard for web applications, using a secure server-to-server token exchange after user authentication.

• Client Credentials Grant: Machine-to-machine authentication without a user context.

• Implicit Grant (deprecated): Older browser-based flow now discouraged.

• Device Authorization Grant: Used for input-constrained devices.

BWeb OpenID/OAuth 2.0 integration uses the Authorization Code Grant.

Introduction to OpenID Connect (OIDC)

OpenID Connect (OIDC) extends OAuth 2.0 by adding an identity layer. While OAuth 2.0 answers “Is this app allowed to access a specific resource?”, OIDC answers “Who is the user?”.

OIDC adds an ID Token, typically a JSON Web Token (JWT) that contains user identity claims such as a unique identifier, name, and email address. OIDC also provides a UserInfo endpoint and a Discovery document (.well-known/openid-configuration) for automatic configuration.

This allows BWeb to authenticate users via the IdP without storing or managing passwords locally.

For detailed information, see the OpenID Connect specification: https://openid.net/specs/openid-connect-core-1_0.html

What BWeb Uses from OIDC

For the integration to work reliably, BWeb and OAuth2-Proxy depend on a few specific OIDC elements:

• Issuer URL (oidc_issuer_url): the trusted token issuer and discovery base URL.

• Client credentials (client_id and client_secret): used by OAuth2-Proxy to perform token exchanges securely.

• Claims containing group/role data: used by BWeb to map users to internal permissions.

• Redirect URI (/oauth2/callback): where the IdP sends users after authentication.

If any of these items are missing or inconsistent, authentication may succeed but authorization inside BWeb can still fail.

Introduction to Single Sign-On (SSO)

Single Sign-On (SSO) allows users to access multiple applications with one login session. With OIDC-based SSO, a user who has already authenticated with the IdP can access BWeb without re-entering credentials.

SSO provides tangible operational and security benefits:

• Convenience: One login gives access to multiple services.

• Security: Centralized authentication and policy enforcement.

• Consistency: Unified identity management across applications.

• Scalability: Easier onboarding for new applications.

BWeb can be listed as an application in the IdP dashboard, enabling one-click access for authorized users.

See also

Next articles:

• Architecture and Requirements

• Okta Configuration

• Microsoft Entra ID Configuration

• Keycloak Configuration

• Groups, Roles, and Mapping

• Installation and Deployment

• Usage and SSO Experience

• Troubleshooting and Recovery

Go back to: Authentication via OpenID Connect/OAuth 2.0 and Single Sign-On.