PortaMulti-tenant OIDC Provider

Authentication, User Management, RBAC & Custom Claims — built on node-oidc-provider

Multi-Tenant by Design

Path-based organization isolation with per-tenant OIDC endpoints, branding, and configuration.

Built on node-oidc-provider with PKCE, Authorization Code flow, refresh tokens, and discovery.

Password and magic link authentication, configurable per organization and per client with inheritance.

Email OTP, TOTP authenticator apps, and recovery codes with per-org policy enforcement.

Per-org branding via API, custom CSS injection, or full Handlebars template override via Docker volume mount.

Full user lifecycle — registration, invitation, password reset, magic links, and status management.

Application-scoped roles and permissions with type-validated custom claims injected into tokens.

Full-featured CLI and JWT-authenticated API for managing organizations, apps, clients, users, and RBAC.

Web-based administration console with React SPA and secure BFF — OIDC authentication, session management, and API proxying.

Three-point lifecycle — explicit logout cascades tokens, natural expiry preserves refresh flows, opportunistic cleanup purges stale records.