Authentication

When authentication is enabled, FTL clients, eFTL clients, administrative tools, and other FTL servers must authenticate to the FTL server. They can authenticate to the FTL server in one of three ways:

  • Basic authentication: The user provides a username and password.

  • mTLS authentication: The user provides a TLS certificate and its corresponding private key. The FTL server verifies the client's certificate during the TLS handshake.

    Note: mTLS authentication is not supported for eFTL clients or the eFTL REST API.

  • oauth2 authentication: The user provides a signed JWT token, or the URL of an oauth2 server that can issue a signed JWT token and also provide credentials for accessing that server.

For more details, see Authentication

FTL server supports various authentication providers. Each authentication provider has its own configuration and is used for exactly one of the authentication modes above (basic, mTLS or oauth2). The purpose of the authentication provider is to determine if the client has authenticated successfully and if authenticated to determine the client's username and authorization roles. In the case of basic authentication, FTL server can try each basic authentication provider until one succeeds, or they all fail.

The following are the supported authentication providers. More than one provider can be configured. However, duplicate providers are not allowed. For example, it is illegal to configure multiple flat file authentication providers, but it is legal to configure a flat file provider and an ldap provider.