Database configuration
Environment Variables
- Database user needs full access to
authorization_systemdatabase - PostgreSQL must be available before service startup
CAS client library configuration
The authorization-system uses the CAS client library to communicate with SpiceDB for ACL operations.
Environment Variables
- SpiceDB Host: Service hostname (typically
spicedb) - SpiceDB Port: gRPC port (standard:
50051) - SpiceDB Token: Authentication token for SpiceDB access
Runtime authorization backend
Selects which backend the CAS client library uses for runtime authorization checks. WithCUSTOM (the default), authorization requests are served by the authorization-system service over REST. With SPICEDB, checks are delegated directly to SpiceDB. The value is defined once in the shared CAS client library and inherited by every service; override it only if instructed by FlowX.
OAuth2/Keycloak configuration
Redis configuration
Authorization System uses Redis for caching. Configure Redis connection using the standard Redis environment variables. Quick reference:Both
SPRING_DATA_REDIS_* and SPRING_REDIS_* variable prefixes are supported. The SPRING_DATA_REDIS_* prefix is the modern Spring Boot standard and is recommended for new deployments.For advanced Redis deployment modes (Sentinel, Cluster) and SSL/TLS setup, see the Redis Configuration guide. Note that Sentinel and Cluster modes are only supported by the Events Gateway service.
Kafka configuration
Connection settings
Topic naming configuration
Audit topic
Organization events topic
OAuth authentication (when using SASL_PLAINTEXT)
When using the
kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.Service account realm secrets
These variables configure the client secrets for service accounts in the dedicated service accounts realm. Liquibase uses these secrets when provisioning the SA realm during deployment. By default, secrets are left empty and auto-generated. Set explicit values only if you need to reference specific service account credentials in custom integrations.Management
Environment Variables
Organization admin bootstrap
Primary method (recommended)
SetSPRING_LIQUIBASE_PARAMETERS_DEFAULTORGADMINUSERNAME (default: admin@flowx.ai)
Process:
- System searches for this username in Keycloak
- Copies the user’s
sub_id(subject ID) to authorization-system database - Grants organization admin privileges automatically
Fallback method
SetSPRING_LIQUIBASE_PARAMETERS_DEFAULTORGADMINUSERSUBJECTID with a specific Keycloak subject ID
Process:
- Creates user directly in authorization-system database
- Assigns organization admin roles
- Used when username method fails or is set to null
Error handling
If incorrect subject_id is provided:- Login will fail
- No org-admin privileges granted
- Manual database correction required
If you’ve deployed with an incorrect subject_id, use this SQL script to fix it:The first organization administrator always has the ID
00000000-0000-0000-0000-100000000001 in the authorization-system database.Keycloak redirect URIs
On first startup, the authorization-system runs a Liquibase migration that creates (or updates) the default Keycloak realm and configures theflowx-platform-authenticate client. You can control which redirect URIs are set on this client using:
Environment Variables
Examples:
https://designer.yourcompany.com/*— Designer accesshttps://app.yourcompany.com/*— Container app accesshttp://localhost*— Local development
Default realm admin credentials
During the initial Liquibase migration, the authorization-system creates the default FlowX Keycloak realm along with an admin user. You must set an initial password for this admin user:Self-hosted deployments: leave these variables empty. The bootstrap admin password is supplied through the first-time setup screen in Designer the first time the platform starts. See Self-hosted initialization for the registration flow.
Customer-specific variables
Required Customization: These variables must be updated for each deployment environment.
SECURITY_OAUTH2_BASESERVERURL— Your Keycloak server URLSECURITY_MASTERREALM_ADMIN_PASSWORD— Master realm admin passwordSPRING_DATASOURCE_URL— Your PostgreSQL connection detailsSPRING_LIQUIBASE_PARAMETERS_ALLOWEDREDIRECTURIS— Designer and app redirect URIs- Service hostnames — Update to match your Kubernetes service names
Secrets management
Required Kubernetes Secrets:SPRING_DATASOURCE_PASSWORDFLOWX_SPICEDB_TOKENSPRING_REDIS_PASSWORDSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTSECRETSECURITY_MASTERREALM_ADMIN_PASSWORD
Deployment prerequisites
Infrastructure
- PostgreSQL with
authorization_systemdatabase - SpiceDB with authentication configured
- Redis for caching
Identity & Access
- Keycloak with configured realm
- OAuth2 clients created
- Admin user exists in Keycloak
Architecture notes
Database Access Control: Only authorization-system has direct write access to the CAS PostgreSQL database. Other services communicate via REST APIs only.
SpiceDB Integration: Uses PostgreSQL as backend storage and communicates via gRPC through the CAS client library.
Ingress and CORS
The Authorization System is exposed externally on the admin host. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. CORS handling lives in the service code; only the allowed-origins list is deployment-specific.Service route
The path is set through
services.authorization-system.ingress.admin.path (or services.authorization-system.gateway.admin.paths) in the chart values. The /auth prefix is also used by Keycloak (configured separately via global.flowx.idp.keycloak.contextPath); the chart wires both behind the same prefix.
CORS configuration
Allowed methods, allowed headers (including
Authorization, Content-Type, Fx-Workspace-Id), and credential handling are baked into the service’s application.yaml with safe defaults. Override these only if you have a non-standard requirement.
For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.
