Authentication
Bunker uses OpenID Connect (OIDC) for user authentication.
Overview
Authentication is centralized via a dedicated OIDC server that manages:
- User identification
- Session management
- Access token delivery
Architecture
Authentication Flow
1. Login
- User accesses the Console
- Console redirects to the OIDC server
- User enters credentials
- OIDC server issues a token
- Console stores the token for subsequent requests
2. Token Usage
Each request to the Control Plane includes the token:
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...
3. Renewal
Tokens have a limited lifespan. The Console automatically renews tokens via the refresh token.
Technologies
| Component | Technology |
|---|---|
| Protocol | OpenID Connect |
| Server | oidc-provider (Node.js) |
| Client | oidc-client-ts |
Tokens
| Type | Duration | Usage |
|---|---|---|
| Access Token | 1 hour | API Authentication |
| Refresh Token | 7 days | Renewal |
| ID Token | 1 hour | User information |
Security
Implemented Best Practices
- PKCE: Protection against code interception
- Token rotation: Automatic renewal
- HTTPS required: Encrypted communications
Token Storage
Tokens are stored securely in the browser:
- No localStorage storage (XSS vulnerable)
- Use of HttpOnly cookies when possible
- Automatic cleanup on logout
API Integration
To use the API programmatically, you can obtain a token via:
# Get a token (client credentials flow)
curl -X POST https://auth.getbunker.net/token \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET"
Then use the token:
curl -H "Authorization: Bearer $TOKEN" \
https://api.getbunker.net/v1/instances
Next Steps
- First Login - Connect to the console
- Console - Management interface