Login Experience
Nauthera serves a built-in login page and consent screen as part of the auth server. When a user initiates an OAuth2 authorization code flow, the auth server presents the login page for authentication and (optionally) a consent screen to approve the requested scopes.
Login Page
The login page is served at {issuer}/login and is displayed automatically when a user hits the authorization endpoint without an active session.
The login page collects the user's email and password, validates credentials against the PostgreSQL user store, and redirects the user back to the authorization flow upon successful authentication.
Features
- Brute-force protection — After a configurable number of failed attempts (default: 5), the account is temporarily locked. See Account Security.
- Session management — Successful logins create a session cookie. Subsequent authorization requests skip the login page if a valid session exists (unless
prompt=loginis specified). - HTTPS-only cookies — Session cookies are set with
Secure,HttpOnly, andSameSite=Laxattributes.
Consent Screen
After login, the consent screen presents the scopes requested by the application and asks the user to approve them. The behaviour is controlled by the consentScreen.mode field in the applicable AuthPolicy:
| Mode | Behaviour |
|---|---|
always | Always show the consent screen, even if the user has previously approved the same scopes |
auto | Show only when the client requests scopes the user hasn't previously approved (default) |
never | Skip the consent screen entirely — scopes are approved implicitly |
# In a ClusterAuthPolicy or AuthPolicy
spec:
consentScreen:
mode: auto
rememberConsentDays: 30The consent screen displays:
- The client's
displayName(or resource name if not set) - The list of requested scopes with human-readable descriptions
- Approve and Deny buttons
When rememberConsentDays is set, the user's consent decision is stored and re-used for that client until the configured number of days have elapsed or the client requests new scopes.
Customization
Branding
The login page and consent screen can be customized via Helm values to match your organisation's branding:
# values.yaml
operator:
ui:
# Page title shown in the browser tab
title: "Sign in to Acme Corp"
# Logo URL displayed on the login page (recommended: SVG or PNG, max 200x60px)
logoUrl: "https://cdn.example.com/logo.svg"
# Primary brand color for buttons and links (CSS color value)
primaryColor: "#4F46E5"
# Favicon URL
faviconUrl: "https://cdn.example.com/favicon.ico"
# Custom CSS URL for advanced styling (loaded after default styles)
customCssUrl: ""
# Footer text (supports basic HTML)
footerHtml: "© 2026 Acme Corp"Custom CSS
For advanced styling, provide a URL to a CSS file via operator.ui.customCssUrl. The CSS is loaded after the default styles, allowing you to override specific elements:
/* custom-login.css */
.login-container {
background: linear-gradient(135deg, #1e1b4b 0%, #312e81 100%);
}
.login-card {
border-radius: 16px;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
}
.consent-scope-item {
border-left: 3px solid var(--primary-color);
}Security Headers
The login and consent pages are served with the following security headers:
| Header | Value | Purpose |
|---|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains | Enforce HTTPS |
Content-Security-Policy | default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https: | Prevent XSS |
X-Frame-Options | DENY | Prevent clickjacking |
X-Content-Type-Options | nosniff | Prevent MIME-type sniffing |
Referrer-Policy | strict-origin-when-cross-origin | Limit referrer information |
Cache-Control | no-store, no-cache, must-revalidate | Prevent caching of auth pages |
These headers are set automatically and cannot be disabled. Additional headers can be configured via Helm values:
operator:
security:
additionalHeaders:
X-Custom-Header: "value"Related Resources
- Endpoints — Full OIDC endpoint reference.
- User Management — Creating and managing user accounts.
- AuthPolicy — Consent screen configuration and scope policies.