Authorization Scheme

Codejig Application Authorization Scheme

The system supports various authorization methods, enabling integration with external services, use of local users, and corporate solutions. This provides flexibility in choosing access methods depending on specific usage scenarios.

Types of Users

Non-local (External) Codejig Users

This category includes users who authorize via external OAuth 2.0 services (Google, Facebook, Okta) or directly through Codejig.

• These are real individuals who registered on the Codejig platform, confirmed their email and password, or authorized via Google or Facebook.
• They have their own accounts, which they control independently.
• They can be application developers and organization administrators in Codejig (allowed only to them for marketing and security reasons).
• If the administration of a Codejig organization grants such a user access to an application deployed in the Codejig cloud or on an external server with Codejig authorization, the user can immediately access it. On launch, the application updates the list of active users based on data from the Codejig portal (https://apps.codejig.com/).

• Created by an organization administrator through the Codejig portal with specified login, password, first name, and last name.
• Information about such users (including password hashes) is embedded in the application during compilation. When using Codejig authorization, this data can also be dynamically sent to the application.
• When using Codejig authorization, data for "organization only" users can be dynamically updated: if the organization administrator modifies user data on the Codejig portal, the changes are automatically sent to all applications running in the Codejig cloud and accessible to that user.
• If the application is deployed without Codejig authorization (e.g., on an external server without a portal connection), data for such users is embedded during compilation. In this case, changes made on the Codejig portal after compilation will not take effect until the application is recompiled and deployed with an updated executable file.

Main purpose of "organization only" users:

• Quickly granting application access without the user needing to register independently.
• Ensuring functionality without connecting to the Codejig authorization server (e.g., when deployed without internet).

An organization can create an "organization only" user with application administrator rights. Their identifiers and password hashes are added to the application during compilation, enabling local (app-only) authorization. This allows the designated administrator to log in even in isolated environments where Codejig authorization is disabled or internet access is unavailable.

"Organization only" users:

• Depend on the Codejig portal, as they are created and managed through it.
• Cannot be application developers.
• Can be added by the organization to any application it owns.

Note: A Codejig organization administrator does not have information about other application users not created through the Codejig portal (e.g., LDAP or "app-only"). They also do not know the roles defined by the developer in a specific application. The organization administrator can only grant application access to Codejig users (regular and "organization only") and assign them the built-in role of application administrator. This is possible if the application uses Codejig authorization or if information about such users was embedded during compilation.

Further user administration within the application is handled by the application administrator. An organization administrator can appoint any Codejig user from their organization (regular or "organization only") as an application administrator. Users authorized by other methods (e.g., LDAP or "app-only") cannot receive the built-in role of application administrator.

Application Administrator

• Can assign application users to roles defined within the application and activate/deactivate them.
• Can create new "app-only" users (if the respective option is enabled).
• Cannot manage users who authenticate via Active Directory (LDAP); these users are managed via corporate infrastructure.
• Cannot change their own rights or the rights of other application administrators.
• Cannot appoint new application administrators or revoke this status from others. Changing administrator status is only possible via the Codejig portal by the organization administrator.

To add or remove an application administrator, use the Codejig portal (https://apps.codejig.com/en/users), where only the organization administrator can perform this action.

App-only Users

"App-only" users exist solely within a specific application and are isolated from the Codejig platform:

• Created and managed directly by the application administrator.
• "App-only" authorization can be enabled by Codejig portal administrators upon request, usually for users of paid services.
• This mechanism is straightforward: user management (creation, deactivation) occurs directly in the application without using the Codejig portal.

Corporate Users (LDAP, Microsoft Active Directory)

• Authenticate through corporate infrastructure (e.g., LDAP).
• Used in corporate networks.
• Enable the application of existing security policies and reuse of employee credentials.

Interaction of application administrator with LDAP users:

• The application administrator can see the existence of LDAP users, their roles, and their activity.
• The application administrator cannot create, delete, or modify LDAP users directly in the application, as they are managed externally in corporate infrastructure.

Authorization Services

• External authentication services.
• The system receives an access token, verifies it, and grants the user the appropriate rights.

• Integration with corporate networks.
• Credentials are verified using real-time LDAP queries.

• Credentials are stored and verified directly within the application.
• Suitable for standalone/isolated systems and small companies minimizing reliance on external authorization providers.

Authorization Flow

1. The user opens the application and chooses a login method: Google, Facebook, Codejig, LDAP, or "app-only".
2. OAuth 2.0: The user is redirected to the external provider's authorization page. After successful authentication, they return to the application with an access token.
3. LDAP: The user's credentials are verified directly on the LDAP server.
4. App-only Authorization: The user enters a username and password, stored on the application server, without referencing Codejig.
5. After successful authorization, the user gains access to application functionality with assigned roles and permissions.

Application Relationship with Codejig Organization

• Each Codejig organization can have multiple development environments and projects.
• Projects are compiled and deployed as one or several application instances in the Codejig cloud or on external servers.
• If the application is deployed in the Codejig cloud or retains a connection with the Codejig authorization server, the Codejig organization administrator can dynamically add "regular" or "organization only" users. Access updates automatically.
• If the application is deployed without Codejig authorization, authorization is possible only through other methods. In such cases, only Codejig "organization only" users (whose data was embedded during compilation) can log in, provided that local ("app-only") authorization is enabled. Regular Codejig users cannot authorize in this scenario, even if they were added by the organization administrator to this application during compilation.

Architecture Benefits

• Flexibility: Different authorization methods for various user types.
• Integration: Ability to connect corporate solutions (LDAP).
• External Services: Support for OAuth 2.0 (Google, Facebook, Okta, Codejig).
• Autonomy and Simplicity: "App-only" authorization allows the application to operate independently of the Codejig platform and other services, convenient for small companies and projects.

Thus, the Codejig authorization system offers a wide range of capabilities for adaptation to specific needs and usage conditions.