1. Setup
  2. Authorization



Authorization is essential to use the IdentityHub. The API as well as the graphql playground requires you to be authenticated in some way. You can either use and configure any OAuth provider, or configure authentication via LDAP.


The IdentityHub can work with any OAuth provider. If you are using the Userapp as well, you can utilize the OSP as your OAuth provider (see FAQs).

The IdentityHub itself does not handle any authorization flow, but takes an Authorization header, which it validates against the configured OAuth provider. This header can either be a BasicAuth header (Basic xxx) or an access token (Bearer xxx).

We strongly recommend to use the Auth Code Flow for your client applications and then send the access token in the Authorization header with your requests to the IdentityHub.


See the config explanation under the section oauth for details about the configuration.

LDAP auth

If you don't need or want to setup an OAuth provider, you can use authentication via LDAP. This type of authentication is always used for the graphql playground, but you can set it up as well for the API.

A simple BasicAuth header with username and password is used to authenticate. The IdentityHub will first use the username to find a user entry in the directory and will then perform an LDAP bind against this user with the given password. If successful, the actual query or modification will be performed.

This does not mean, that LDAP operations will be performed with the authenticated user rights. If not configured otherwise (ldap.useProxyAuth config option) the configured bind user will be used for all LDAP operations.


See the config explanation under the section ldap.auth for details on the configuration.