Authentication
Teabar supports multiple authentication methods to accommodate different use cases, from simple magic links for workshops to enterprise SSO integration.
Authentication Methods
| Method | Description | Best For |
|---|---|---|
| Magic Link | One-time link sent via email | Remote workshops, no account needed |
| SSO (SAML/OIDC) | Customer’s identity provider | Enterprise, existing accounts |
| Credentials | Username/password created by educator | Workshops without email |
| Access Code | Short code for quick access | In-person events, conferences |
| Anonymous | Token in URL, no identity | Public demos, open access |
Configuration
Enable Authentication Methods
apiVersion: teabar.dev/v1
kind: Blueprint
metadata:
name: my-workshop
spec:
access:
authentication:
methods:
- type: magic_link
enabled: true
expiry: 7d
- type: sso
enabled: true
provider: okta
- type: credentials
enabled: true
- type: access_code
enabled: true
codeLength: 6
expiry: 24hDefault Method
Set the default authentication method shown to participants:
spec:
access:
authentication:
default: magic_link
methods:
- type: magic_link
enabled: true
- type: credentials
enabled: trueMagic Links
Magic links are the simplest way to provide access. Participants receive an email with a one-click login link.
How It Works
- Educator invites participant via email
- Participant receives email with unique link
- Clicking the link authenticates and redirects to environment
- Link can be used multiple times until expiry
Configuration
spec:
access:
authentication:
methods:
- type: magic_link
enabled: true
expiry: 7d # Link validity period
maxUses: unlimited # or a number
rateLimit: 5/hour # Resend rate limitInviting Participants
# Invite single participant
teactl participant invite my-workshop --email [email protected]
# Invite multiple participants
teactl participant invite my-workshop
--email [email protected]
--email [email protected]
--email [email protected]
# Bulk invite from CSV
teactl participant invite my-workshop --emails participants.csvCSV format:
email,name
[email protected],Alice Smith
[email protected],Bob Jones
[email protected],Carol WilliamsResending Magic Links
# Resend to specific participant
teactl participant invite my-workshop --email [email protected] --resend
# Resend to all pending participants
teactl participant invite my-workshop --resend-pendingMagic Link Email
The email includes:
- Workshop/environment name
- Access link
- Expiration date
- Support contact (if configured)
Tip
Customize email templates with white-labeling (Enterprise feature).
SSO (SAML/OIDC)
Integrate with your organization’s identity provider for seamless authentication.
Supported Providers
| Provider | Protocol | Configuration |
|---|---|---|
| Okta | OIDC/SAML | App integration |
| Azure AD | OIDC/SAML | Enterprise app |
| Google Workspace | OIDC | OAuth consent |
| Auth0 | OIDC | Application |
| OneLogin | SAML | App connector |
| PingIdentity | OIDC/SAML | Application |
| Generic | OIDC/SAML | Manual config |
OIDC Configuration
spec:
access:
authentication:
methods:
- type: sso
enabled: true
protocol: oidc
oidc:
issuer: https://your-tenant.okta.com
clientId: "{{ .Secrets.oidc_client_id }}"
clientSecret: "{{ .Secrets.oidc_client_secret }}"
scopes:
- openid
- profile
- email
# Optional: restrict to specific groups
allowedGroups:
- workshop-participants
- training-teamSAML Configuration
spec:
access:
authentication:
methods:
- type: sso
enabled: true
protocol: saml
saml:
idpMetadataUrl: https://your-tenant.okta.com/app/.../sso/saml/metadata
# Or provide metadata directly
# idpMetadata: |
# <EntityDescriptor ...>
# Attribute mapping
attributes:
email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
groups: http://schemas.xmlsoap.org/claims/GroupOrganization-Level SSO
Configure SSO at the organization level to use across all environments:
# Configure OIDC
teactl org sso set oidc
--issuer https://your-tenant.okta.com
--client-id <CLIENT_ID>
--client-secret <CLIENT_SECRET>
# Configure SAML
teactl org sso set saml
--metadata-url https://your-tenant.okta.com/app/.../sso/saml/metadataThen reference in blueprints:
spec:
access:
authentication:
methods:
- type: sso
enabled: true
provider: org-default # Uses organization SSO configSSO User Flow
- Participant visits environment URL
- Redirected to identity provider login
- After successful login, redirected back to Teabar
- Teabar validates token/assertion and creates session
- Participant accesses their environment
Credentials
Create username/password credentials for participants who can’t receive email.
Configuration
spec:
access:
authentication:
methods:
- type: credentials
enabled: true
credentials:
# Password policy
minLength: 8
requireNumbers: true
requireSpecial: false
# Allow password change
allowChange: trueCreating Participants with Credentials
# Create with generated password
teactl participant create my-workshop --name p1 --generate-password
# Create with specific password
teactl participant create my-workshop --name p1 --password "SecurePass123"
# Bulk create
teactl participant create my-workshop --count 25 --prefix student --generate-passwordOutput:
Created 25 participants:
NAME PASSWORD
student-01 xK9#mP2$qR
student-02 aB5*nL8@wY
student-03 cD7&jH4!vZ
...
Credentials saved to: participants-credentials.csvPassword Reset
# Reset password for a participant
teactl participant reset-password my-workshop --name p1 --generate-passwordAccess Codes
Short codes for quick access at in-person events.
Configuration
spec:
access:
authentication:
methods:
- type: access_code
enabled: true
accessCode:
length: 6 # Code length
expiry: 24h # Code validity
singleUse: false # Can be reused
caseInsensitive: true # ABC123 = abc123Generating Access Codes
# Generate codes
teactl participant codes my-workshop --count 50
# Output to file
teactl participant codes my-workshop --count 50 --output codes.csv
# Generate codes with QR
teactl participant codes my-workshop --count 50 --qr --output codes-with-qr.pdfOutput:
Generated 50 access codes:
CODE URL EXPIRES
ABC123 https://my-workshop.acme.teabar.dev?code=ABC123 2024-03-15 18:00
DEF456 https://my-workshop.acme.teabar.dev?code=DEF456 2024-03-15 18:00
GHI789 https://my-workshop.acme.teabar.dev?code=GHI789 2024-03-15 18:00
...
Codes saved to: access-codes.csvUsing Access Codes
Participants can:
- Visit the environment URL and enter their code
- Use the direct URL with code:
https://env.org.teabar.dev?code=ABC123 - Scan QR code (if generated)
Printable Code Cards
Generate printable cards for distribution:
teactl participant codes my-workshop --count 50
--format cards
--output access-cards.pdf
--template workshop-cardAnonymous Access
For public demos or open access environments.
Configuration
spec:
access:
authentication:
methods:
- type: anonymous
enabled: true
anonymous:
# Rate limit per IP
rateLimit: 10/hour
# Session duration
sessionDuration: 2h
# Require captcha
captcha: trueWarning
Anonymous access should be used carefully. Consider rate limiting and session timeouts to prevent abuse.
Anonymous Access URL
https://my-workshop.acme.teabar.dev/anonymousSession Management
Session Configuration
spec:
access:
authentication:
session:
# Session duration
duration: 8h
# Extend on activity
extendOnActivity: true
# Maximum session duration
maxDuration: 24h
# Concurrent sessions
allowConcurrent: true
maxConcurrent: 3Session Tokens
Sessions are managed via secure cookies and tokens:
| Token Type | Purpose | Storage |
|---|---|---|
| Session Cookie | Browser session | HTTP-only cookie |
| Access Token | API access | Memory/secure storage |
| Refresh Token | Token renewal | HTTP-only cookie |
Viewing Active Sessions
teactl participant sessions my-workshopOutput:
PARTICIPANT AUTH METHOD STARTED LAST ACTIVITY IP ADDRESS
p1 magic_link 2 hours ago 5 minutes ago 192.168.1.100
p2 sso 1 hour ago 10 minutes ago 10.0.0.50
p3 access_code 30 minutes ago 2 minutes ago 172.16.0.25Terminating Sessions
# Terminate specific session
teactl participant session terminate my-workshop --participant p1 --session <id>
# Terminate all sessions for participant
teactl participant session terminate my-workshop --participant p1 --all
# Force re-authentication for all
teactl participant session terminate my-workshop --allMulti-Factor Authentication
Enable MFA
spec:
access:
authentication:
mfa:
enabled: true
methods:
- totp # Authenticator app
- email # Email code
# When to require MFA
required: always # always | first_login | neverMFA with SSO
When using SSO, MFA is typically handled by the identity provider:
spec:
access:
authentication:
methods:
- type: sso
enabled: true
# Let IdP handle MFA
mfa:
delegateToIdp: trueIP Restrictions
Restrict access by IP address or range:
spec:
access:
authentication:
ipRestrictions:
enabled: true
# Allow list
allowedIps:
- 192.168.1.0/24 # Office network
- 10.0.0.0/8 # VPN
- 203.0.113.50 # Specific IP
# Block list (takes precedence)
blockedIps:
- 192.168.1.100 # Block specific deviceAudit Logging
All authentication events are logged:
teactl participant audit my-workshopOutput:
TIMESTAMP PARTICIPANT EVENT IP ADDRESS DETAILS
2024-03-14 10:00:00 p1 login_success 192.168.1.100 magic_link
2024-03-14 10:05:00 p2 login_success 10.0.0.50 sso (okta)
2024-03-14 10:10:00 unknown login_failed 172.16.0.99 invalid_code
2024-03-14 10:15:00 p1 session_extended 192.168.1.100 activityCLI Commands
Authentication Management
# List authentication methods for environment
teactl env get my-workshop --show-auth
# Enable/disable methods
teactl env auth enable my-workshop --method magic_link
teactl env auth disable my-workshop --method anonymous
# Configure SSO
teactl env auth sso my-workshop
--protocol oidc
--issuer https://your-tenant.okta.com
--client-id <ID>
--client-secret <SECRET>