Database configuration
The authorization-system must use a dedicated PostgreSQL database. Do not share with other FlowX.AI services.
Environment Variables
- Database user needs full access to
authorization_system
database - PostgreSQL must be available before service startup
CAS client library configuration
The authorization-system uses the CAS client library to communicate with SpiceDB for ACL operations.
Environment Variables
The SpiceDB token must match the
preshared_key
value from the SpiceDB Kubernetes secret. This same value is used as:preshared_key
in the SpiceDB Kubernetes secretSPICEDB_GRPC_PRESHARED_KEY
for SpiceDB configurationFLOWX_LIB_CASCLIENT_SPICEDB_TOKEN
for FlowX services
- SpiceDB Host: Service hostname (typically
spicedb
) - SpiceDB Port: gRPC port (standard:
50051
) - SpiceDB Token: Authentication token for SpiceDB access
OAuth2/Keycloak configuration
Environment Variables
OAuth2 Client
Must be configured in Keycloak with appropriate scopes for platform access
Service Account
Requires admin privileges in Keycloak for user management operations
Redis configuration
Environment Variables
Management
Environment Variables
Organization admin bootstrap
The authorization-system uses a fallback mechanism to create the first organization administrator when no admin users exist.
Primary method (recommended)
SetSPRING_LIQUIBASE_PARAMETERS_DEFAULTORGADMINUSERNAME
(default: admin@flowx.ai
)
Process:
- System searches for this username in Keycloak
- Copies the userβs
sub_id
(subject ID) to authorization-system database - Grants organization admin privileges automatically
Fallback method
SetSPRING_LIQUIBASE_PARAMETERS_DEFAULTORGADMINUSERSUBJECTID
with a specific Keycloak subject ID
Process:
- Creates user directly in authorization-system database
- Assigns organization admin roles
- Used when username method fails or is set to null
Error handling
If incorrect subject_id is provided:- Login will fail
- No org-admin privileges granted
- Manual database correction required
Customer-specific variables
Required Customization: These variables must be updated for each deployment environment.
SECURITY_OAUTH2_BASE_SERVER_URL
- Your Keycloak server URLSECURITY_OAUTH2_REALM
- Your Keycloak realm nameSECURITY_OAUTH2_CLIENT_CLIENT_ID
- Your OAuth2 client identifierSPRING_DATASOURCE_URL
- Your PostgreSQL connection details- Service hostnames - Update to match your Kubernetes service names
Secrets management
Security: Always use Kubernetes Secrets for sensitive configuration values.
SPRING_DATASOURCE_PASSWORD
FLOWX_LIB_CASCLIENT_SPICEDB_TOKEN
SPRING_REDIS_PASSWORD
SECURITY_OAUTH2_CLIENT_CLIENT_SECRET
SECURITY_OAUTH2_SERVICE_ACCOUNT_ADMIN_CLIENT_SECRET
Deployment prerequisites
Infrastructure
- PostgreSQL with
authorization_system
database - SpiceDB with authentication configured
- Redis for caching
Identity & Access
- Keycloak with configured realm
- OAuth2 clients created
- Admin user exists in Keycloak
Architecture notes
Database Access Control: Only authorization-system has direct write access to the CAS PostgreSQL database. Other services communicate via REST APIs only.
SpiceDB Integration: Uses PostgreSQL as backend storage and communicates via gRPC through the CAS client library.