CIG Authentication Architecture

CIG uses Authentik as the primary identity provider and Supabase as a feature-flagged fallback. The current production flow uses the landing app as the entry point and the dashboard as the relay/callback bridge.

Current Production Principals

Component	Production origin	Role
Landing (`apps/landing`)	`https://cig.lat`	Public entrypoint, login buttons, canonical logout completion target
Dashboard (`apps/dashboard`)	`https://app.cig.lat`	Protected app, PKCE relay, login callback bridge
Authentik	`https://auth.cig.technology`	OIDC provider and social-source broker

The user starts login from the landing app.
Landing stores PKCE state and navigates to the dashboard relay route.
The dashboard relay hands off to Authentik.
Authentik returns an authorization code to the dashboard callback bridge.
The callback bridge exchanges the code, provisions the user if needed, and returns the tokens to landing.

Provisioning and Runtime Requirements

The dashboard runtime must have:

SUPABASE_URL
SUPABASE_SERVICE_ROLE_KEY

If those values are missing, provisioning fails closed and the user is returned to sign-in.

Logout

Logout is centralized in the landing app. It clears local session state and redirects through the sign-out flow so the browser session is fully reset.

Current Production Principals​

Current Login Flow​

Provisioning and Runtime Requirements​

Logout​

Current Production Principals

Current Login Flow

Provisioning and Runtime Requirements

Logout