OAuth 2.0 & RBAC Integration
Implement secure authentication and granular permission management for applications interacting with the Aevum Encyclopedia knowledge graph.
Overview
Aevum Encyclopedia uses OAuth 2.0 and OpenID Connect as the standard for authentication and authorization. Once authenticated, access to articles, datasets, and administrative functions is governed by a strict Role-Based Access Control (RBAC) system.
OAuth 2.0 Authentication Flow
The standard integration follows a four-step process designed for maximum security and user consent transparency.
Authorization Request
Redirect users to https://auth.aevum-encyclopedia.com/oauth/authorize with your client_id, requested scopes, and PKCE code verifier.
User Consent & Authentication
The user logs into Aevum and explicitly approves the requested scopes. Multi-factor authentication is enforced for sensitive roles.
Token Exchange
Exchange the authorization code for an access token (JWT) and refresh token at the /oauth/token endpoint. Access tokens expire in 1 hour.
API Access
Attach the JWT to the Authorization: Bearer <token> header. The RBAC engine evaluates permissions on every request.
Role-Based Access Control (RBAC)
Permissions are scoped and enforced at the API level. Assign roles via the Developer Console or programatically using the Admin API.
| Role | Read Articles | Contribute/Edit | Manage Roles | API Access | Audit Logs |
|---|---|---|---|---|---|
| Viewer | Yes | No | No | Read-Only | No |
| Contributor | Yes | Yes | No | Yes | No |
| Editor | Yes | Yes | Team Only | Yes | Yes |
| Admin | Yes | Yes | Yes | Yes | Yes |
Implementation Examples
Initialize an OAuth session and retrieve an access token using your preferred language or HTTP client.
curl -X POST https://auth.aevum-encyclopedia.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "code=" \
-d "redirect_uri=https://yourapp.com/callback" \
-d "client_id=" \
-d "code_verifier=" import requests
response = requests.post(
"https://auth.aevum-encyclopedia.com/oauth/token",
data={
"grant_type": "authorization_code",
"code": auth_code,
"redirect_uri": "https://yourapp.com/callback",
"client_id": CLIENT_ID,
"code_verifier": code_verifier
}
)
token_data = response.json()
access_token = token_data["access_token"]
print(f"Authorized. Token expires in {token_data['expires_in']}s")const axios = require('axios');
async function exchangeCode(authCode, codeVerifier) {
const payload = new URLSearchParams({
grant_type: 'authorization_code',
code: authCode,
redirect_uri: process.env.REDIRECT_URI,
client_id: process.env.CLIENT_ID,
code_verifier: codeVerifier
});
const { data } = await axios.post(
'https://auth.aevum-encyclopedia.com/oauth/token',
payload,
{ headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }
);
return data.access_token;
}Security & Compliance
- PKCE Enforcement: Mandatory for all public clients to prevent authorization code interception.
- JWT Signing: Access tokens are signed using RS256. Public keys are available at
/.well-known/jwks.json. - Rotating Secrets: Client secrets support zero-downtime rotation. Old secrets remain valid for 7 days during transition.
- Compliance: Fully SOC 2 Type II and GDPR compliant. Data residency options available for EU/UK clients.
- Rate Limiting: API authentication endpoints are limited to 100 requests/IP/hour to prevent brute-force attacks.
Need Help?
Stuck with token validation or RBAC policy configuration? Our developer support team is available 24/7.