Identity and Access Management
Identity and Access Management, or IAM, is the part of AuthGate that handles login and identity.
In plain words, IAM answers:
- Who is this user?
- Which application is the user logging into?
- What roles or permissions should the user have?
- Which token or session proves the login?
Users
A user is a person who can log in.
Examples:
- a customer using your storefront
- an admin managing a dashboard
- a student testing a school project
AuthGate stores user identity data and connects users to clients, roles, and permissions.
OAuth2 clients
An OAuth2 client is the application asking IAM to log a user in.
Examples:
| Application | Client example |
|---|---|
| React storefront | storefront-client |
| Admin dashboard | admin-dashboard-client |
| BFF demo store | bff-demo-store-client |
Important client fields:
| Field | Meaning |
|---|---|
| Client ID | Public identifier for the app. |
| Client secret | Secret used by confidential server-side apps. Browser apps should not store this. |
| Redirect URI | Where IAM is allowed to send the browser after login. |
| Scopes | What identity information the app asks for, such as openid profile email. |
A browser app is a public client. Do not put a client secret inside React, Next.js, Vue, or any frontend code that users download.
Redirect URI
A redirect URI is a safety allowlist.
If your app says:
redirect_uri=https://my-app.example.com/callbackthen the OAuth2 client must contain that exact URL. Otherwise IAM should reject the login request.
For BFF gateways, the callback URL is the gateway callback:
https://your-gateway.authgate.site/bff/callbackTokens and sessions
After a successful OAuth2 login, IAM can issue tokens such as:
| Token | Meaning |
|---|---|
| Access token | Short-lived proof used to access protected APIs. |
| ID token | Identity information for OpenID Connect. |
| Refresh token | Used by trusted server-side code to get a new access token. |
For direct OAuth2 frontend apps, the frontend library manages tokens.
For BFF gateways, AuthGate keeps the OAuth tokens server-side and gives the browser an HttpOnly BFF session cookie instead.
Production IAM URLs
Use these values when configuring OAuth2 tools against production AuthGate:
| Name | URL |
|---|---|
| Issuer | https://iam.authgate.site |
| Discovery | https://iam.authgate.site/.well-known/openid-configuration |
| Authorize | https://iam.authgate.site/oauth2/authorize |
| Token | https://iam.authgate.site/oauth2/token |
| JWKS | https://iam.authgate.site/oauth2/jwks |
The discovery URL is usually the easiest starting point because OAuth2 libraries can read the other endpoints from it.
Roles and permissions
Roles group permissions together.
Example:
| Role | Example permissions |
|---|---|
customer | View profile, view own orders |
manager | Create products, update stock |
admin | Manage users, manage clients |
For a beginner project, start with login first. Add roles after the basic login and route protection flow works.