Teabar mascot

Authentication

Teabar uses OIDC (OpenID Connect) for all user authentication. There is no username/password authentication in Teabar - all users authenticate through Keycloak or a compatible OIDC provider.

Interactive Login

For CLI usage, Teabar uses the OAuth 2.0 Device Authorization flow:

teactl auth login

This displays a code and URL:

Opening browser to authenticate...

If browser doesn't open, visit:
  https://auth.bcp.technology/realms/teabar/device

Enter code: ABCD-1234

Waiting for authentication... ⠋

After authenticating in your browser:

✓ Logged in as [email protected]
✓ Organization: my-org
✓ Token expires: 2026-02-17 10:30:00

Credentials saved to system keychain.

Multiple Accounts

Switch between accounts using contexts:

# Login to a different account
teactl auth login --context work

# Switch contexts
teactl config use-context work

CI/CD Authentication

For CI/CD pipelines and automation, use Keycloak service account tokens:

Using Service Account Tokens

  1. Create a service account in Keycloak
  2. Generate a token using client credentials flow
  3. Set the TEABAR_TOKEN environment variable:
export TEABAR_TOKEN="<keycloak-access-token>"
export TEABAR_ORGANIZATION="my-org"

teactl env create -f blueprint.yaml --name ci-test

SSO via Keycloak

Teabar delegates all authentication to Keycloak, which can broker to external identity providers.

Supported Identity Providers

Keycloak can broker authentication to:

  • GitHub / GitHub Enterprise
  • GitLab / GitLab Self-Hosted
  • Google Workspace
  • Azure AD / Entra ID
  • Okta
  • Any SAML 2.0 IdP
  • LDAP / Active Directory

Configuring Identity Providers

Identity providers are configured in Keycloak admin console:

  1. Log in to Keycloak Admin Console
  2. Navigate to Identity Providers
  3. Add your identity provider (e.g., GitHub)
  4. Configure client ID and secret
  5. Users can now login via that provider

Self-Hosted OIDC

For self-hosted Teabar deployments, you can use any OIDC-compliant provider:

Supported Providers

ProviderNotes
KeycloakRecommended, full support
Azure AD / Entra IDEnterprise deployments
OktaEnterprise IdP
Auth0Developer-friendly
AuthentikOpen source alternative
ZitadelCloud-native, open source

Configuration

# Helm values.yaml
auth:
  oidc:
    issuerURL: "https://your-idp.example.com/realms/teabar"
    webClientID: "teabar-web"
    webClientSecret: "${OIDC_CLIENT_SECRET}"
    cliClientID: "teabar-cli"

Team Access Control

Roles

RolePermissions
ViewerView environments and blueprints
MemberCreate and manage own environments
AdminManage all environments and team settings
OwnerFull access including billing

Inviting Team Members

teactl org invite [email protected] --role member

Or in the dashboard.

Role Mapping from Keycloak

Roles can be automatically assigned based on Keycloak groups:

# Configured in Keycloak via group mappers
# Users in "teabar-admins" group → Admin role
# Users in "teabar-members" group → Member role

Session Management

View Active Sessions

In the web console: Settings → Security

Or via CLI:

teactl auth status

Check Current User

teactl auth whoami

Output:

User: [email protected]
Provider: github (via Keycloak)
Organization: my-org
Role: admin
Token expires: 2026-02-17 10:30:00

Logout

# Clear local credentials
teactl auth logout

# Clear all stored sessions
teactl auth logout --all

Security Best Practices

Troubleshooting

“Token expired”

Re-authenticate:

teactl auth login

Tokens are automatically refreshed, but if the refresh token has expired, you’ll need to login again.

“Permission denied”

Check your role:

teactl auth whoami

“Organization not found”

Verify you’re using the correct context:

teactl config current-context
teactl config view

“OIDC provider unreachable”

Check connectivity to Keycloak:

teactl auth test
ende