Skip to content
Geoportal Documentation

Web Authentication

This page describes how authentication currently works in the Geoportal Web application.

How Authentication Works in Geoportal Web

Section titled “How Authentication Works in Geoportal Web”

Geoportal Web uses backend-managed sessions.

  • Users sign in through Geoportal Web.
  • The Geoportal API validates identity and establishes the authenticated session.
  • The browser uses the API-issued session cookie for subsequent authenticated requests.
  • Access to protected resources is determined by API authentication and authorization checks.

Geoportal Web does not use browser local storage as the source of trust for authentication.

Authentication Flows

Section titled “Authentication Flows”

Personal Account (Email + Password)

Section titled “Personal Account (Email + Password)”
  1. User enters email and password in the Geoportal Web login form.
  2. Geoportal Web sends credentials to the Geoportal API over HTTPS.
  3. The API validates credentials and account status.
  4. On success, the API sets a secure session cookie.
  5. Geoportal Web continues the user to authenticated routes.

Enterprise Account (Microsoft Entra ID SSO)

Section titled “Enterprise Account (Microsoft Entra ID SSO)”
  1. User starts SSO from Geoportal Web.
  2. Geoportal Web initiates the backend-owned Microsoft Entra ID flow.
  3. User authenticates with Microsoft Entra ID.
  4. The API validates the callback response and establishes a Geoportal session.
  5. Geoportal Web continues the user with the API session cookie.

Session Behavior

Section titled “Session Behavior”

Geoportal Web relies on API-issued cookie sessions for authenticated API access.

  • Session cookies are configured for secure browser usage.
  • Authenticated requests are evaluated against current API session state.
  • Protected pages in Geoportal Web depend on successful authenticated API responses.

Authentication and Authorization Responses

Section titled “Authentication and Authorization Responses”

Geoportal Web handles API response classes as follows:

  • 401 Unauthorized: authentication is missing, expired, or invalid; the user is returned to sign-in.
  • 403 Forbidden: authentication is valid, but permission for the requested action is not granted; an access-denied state is shown.

Expired or Invalid Credentials

Section titled “Expired or Invalid Credentials”

When credentials are expired or otherwise invalid, the API responds with 401 Unauthorized, and Geoportal Web transitions the user back to the sign-in flow.

When credentials are valid but insufficient for the requested resource, the API responds with 403 Forbidden, and Geoportal Web keeps the authenticated state while denying access to that operation.

Logout Behavior

Section titled “Logout Behavior”

On logout:

  1. Geoportal Web calls the API logout endpoint.
  2. The API invalidates the active session.
  3. Geoportal Web clears local auth UI state and returns the user to a public route.
Section titled “Related Pages”
  • API authentication: /reference/api/authentication
  • Authentication overview: /introduction/authentication
  • Enterprise SSO reference: /reference/enterprise/sso