Concepts
The conceptual map of Modgud. If you're new, read these in roughly the order below — each one builds on the ones above it.
Foundations
- Glossary — terminology used across the docs and UI. Skim it once; refer back when a word feels overloaded.
- Apps & resource_access — why permissions are app-scoped and how
resource_accessshows up on tokens.
Tenancy
- Realms (Multi-Tenant) — the database-per-realm model and how requests get routed to the right tenant.
- Control Plane / Data Plane — how cross-realm administration is structurally separated from tenant operations.
Identity
- Authentication — login flows, 2FA, federated OIDC, sessions.
Authorization
- Authorization (RBAC) — the Principal → Group → Role → Permission chain.
- Permissions & gating — the three-segment permission grammar and the bypass tiers.
- Auto-Membership — JsEval-scripted group membership predicates.
- ABAC and the IAM boundary — why row-level access stays in the consuming app, not in the IdP.
OAuth / OIDC
- OAuth & OIDC — the supported flows, signing, and per-realm isolation.
- Dynamic Client Registration — RFC 7591 for MCP agents and self-onboarding apps.
- Sessions & Tokens — what's on a token, where session state lives, and how rotation works.