Skip to Content
Developer GuideAuthentication Sso

Last Updated: 3/16/2026

Authentication & SSO

LinkAce supports multiple authentication methods including traditional email/password login and Single Sign-On (SSO) via OAuth and OIDC providers.

Authentication Methods

Standard Authentication

LinkAce uses Laravel Fortify for standard authentication features:

  • Email/password login
  • User registration
  • Password reset
  • Email verification
  • Two-factor authentication (if enabled)

API Authentication

API requests use Laravel Sanctum for token-based authentication.

Configuration: config/sanctum.php

API tokens are managed through:

  • User API Tokens (per-user access)
  • System API Tokens (system-wide access)

Single Sign-On (SSO)

LinkAce supports SSO via OAuth 2.0 and OpenID Connect (OIDC) providers.

Supported Providers

Configuration: config/auth.php

'sso' => [
    'providers' => [
        'auth0',
        'authentik',
        'azure',
        'cognito',
        'fusionauth',
        'google',
        'github',
        'gitlab',
        'keycloak',
        'oidc',
        'okta',
        'zitadel',
    ],
],

SSO Configuration

SSO is configured via environment variables:

# Enable SSO
SSO_ENABLED=true

# Allow new user registration via SSO
SSO_REGISTRATION_ENABLED=true

# Disable regular email/password login
REGULAR_LOGIN_DISABLED=false

Environment Variables by Provider

Each provider requires specific configuration. Example for GitHub:

GITHUB_CLIENT_ID=your_client_id
GITHUB_CLIENT_SECRET=your_client_secret
GITHUB_REDIRECT_URI=https://your-linkace.com/auth/github/callback

SSO Flow

  1. User clicks “Sign in with [Provider]”
  2. User is redirected to provider’s authorization page
  3. User grants permission
  4. Provider redirects back to LinkAce with authorization code
  5. LinkAce exchanges code for access token
  6. LinkAce retrieves user profile from provider
  7. User is authenticated and session is created

User Provisioning

When a user logs in via SSO for the first time:

  • If SSO_REGISTRATION_ENABLED=true, a new user account is created automatically
  • If SSO_REGISTRATION_ENABLED=false, only existing users can sign in via SSO

Disabling Regular Login

Set REGULAR_LOGIN_DISABLED=true to force all users to authenticate via SSO only. The standard login form will be hidden.

Authentication Guards

Configuration: config/auth.php

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],
],

LinkAce uses session-based authentication for web requests.

User Providers

'providers' => [
    'users' => [
        'driver' => 'eloquent',
        'model' => App\Models\User::class,
    ],
],

Password Reset

Password reset configuration:

'passwords' => [
    'users' => [
        'provider' => 'users',
        'table' => 'password_resets',
        'expire' => 60,      // Token expires after 60 minutes
        'throttle' => 60,    // Throttle requests every 60 seconds
    ],
],

Session Security

Password Confirmation Timeout:

'password_timeout' => 10800, // 3 hours

Sensitive operations may require password re-confirmation within this timeout period.

API Token Abilities

System API tokens support granular permissions via abilities:

Location: app/Enums/ApiToken.php

ApiToken::ABILITY_SYSTEM_ACCESS_PRIVATE

This ability grants access to private content across all users (system-wide access).

Middleware

Authentication middleware is configured in app/Http/Kernel.php:

'auth:sanctum' // For API routes
'auth' // For web routes

API routes also include rate limiting:

'throttle:' . config('app.api_rate_limit')

Multi-User Support

LinkAce supports multiple users with different access levels:

Visibility Levels

Content can have three visibility levels:

  1. Private (1) - Only visible to the owner
  2. Internal (2) - Visible to all authenticated users
  3. Public (3) - Visible to everyone, including unauthenticated users

User Invitations

Administrators can invite new users via the User Management interface.

Model: app/Models/UserInvitation.php

Invitations are sent via email and expire after a configured period.

Security Best Practices

  1. Use HTTPS - Always serve LinkAce over HTTPS in production
  2. Strong Passwords - Enforce strong password policies
  3. API Token Rotation - Regularly rotate API tokens
  4. Limit Token Abilities - Grant minimum required permissions
  5. Monitor Failed Logins - Track and alert on suspicious activity
  6. Enable 2FA - Use two-factor authentication for sensitive accounts
  7. SSO Configuration - Properly configure redirect URIs and secrets

Troubleshooting

SSO Login Fails

  1. Verify provider credentials in .env
  2. Check redirect URI matches provider configuration
  3. Ensure SSO_ENABLED=true
  4. Check application logs for error details

API Authentication Fails

  1. Verify token is included in Authorization: Bearer header
  2. Check token hasn’t been revoked
  3. Verify token has required abilities
  4. Check rate limiting hasn’t been exceeded

Next Steps

Environment ConfigurationData Models