Platform
Identity Platform
Overview

Identity Platform (PIP)

Base URL: https://pip.pcampus.co

Overview

Identity Platform (PIP) เป็น core service ที่ทุก service ใน Pcampus ecosystem พึ่งพา ทำหน้าที่เป็น single source of truth สำหรับ identity, access, และ application credentials

PIP แก้ปัญหา 3 ข้อหลักให้ developer:

  1. ไม่ต้องสร้างระบบ auth เอง
  2. ไม่ต้องจัดการ permission logic กระจายอยู่หลาย service
  3. ไม่ต้องสร้าง OAuth server เอง

Who uses this

Personaใช้ทำอะไร
Developer (ลูกค้า)ใช้ OAuth2/OIDC สำหรับ user login, ใช้ API Keys สำหรับ M2M
Org Adminจัดการ members, roles, และ permissions ใน Console
End userSign up, login, แก้ไข profile ของตัวเอง
Internal serviceเรียก /access/check ก่อน authorize ทุก request

Key features

  • Authentication — Sign up, login, password reset via ORY Kratos
  • OAuth2 / OIDC — Authorization code, client credentials flow via ORY Hydra
  • User profiles — Name, contacts (phone, LINE, email), addresses (home, work, billing)
  • Organizations — Multi-tenant; users belong to 1+ orgs with different roles
  • Role-based access control (RBAC) — Permission catalog {namespace}.{resource}.{action}, roles, assignments
  • Application registry — Register OAuth clients, issue M2M API keys
  • Audit log — Who did what, when, from where

User stories

Developer integrating PIP:

"ผมต้องการให้ user ของ app ผม login ด้วย Pcampus account ได้ โดยไม่ต้องสร้างระบบ auth เอง" → Register application → ได้ OAuth client → implement authorization code flow

Org admin:

"ผมอยากให้ทีม marketing เข้าถึง Content OS ได้ แต่ไม่ให้แก้ไข user accounts" → สร้าง role content-editor กับ permissions content-os.access, content-os.calendar.write → assign ให้ member

End user:

"ผมอยากเพิ่มเบอร์โทรและที่อยู่สำหรับการรับ invoice" → ไปที่ Console → Profile → เพิ่ม contact + address

How it works

Data model

Integration with other services

ทุก service เรียก POST /access/check ก่อน authorize request ทุกครั้ง

API overview

MethodEndpointDescription
GET/identity/meCurrent user profile
PATCH/identity/meUpdate profile
GET/organizationsList user's orgs
POST/organizationsCreate org
POST/access/checkCheck permission
POST/access/rolesCreate role
POST/access/assignmentsAssign role
POST/applicationsRegister application
POST/applications/:id/api-keysCreate API key
POST/oauth2/tokenGet OAuth token

Full API Reference →

Identity Platform (PIP)

Base URL: https://pip.pcampus.co

Overview

Identity Platform (PIP) is the core service that every service in the Pcampus ecosystem depends on. It serves as the single source of truth for identity, access, and application credentials.

PIP solves 3 key problems for developers:

  1. No need to build your own auth system
  2. No need to manage permission logic scattered across multiple services
  3. No need to build your own OAuth server

Who uses this

PersonaWhat they do
Developer (customer)Use OAuth2/OIDC for user login, use API Keys for M2M
Org AdminManage members, roles, and permissions in Console
End userSign up, log in, edit their own profile
Internal serviceCall /access/check before authorizing every request

Key features

  • Authentication — Sign up, login, password reset via ORY Kratos
  • OAuth2 / OIDC — Authorization code, client credentials flow via ORY Hydra
  • User profiles — Name, contacts (phone, LINE, email), addresses (home, work, billing)
  • Organizations — Multi-tenant; users belong to 1+ orgs with different roles
  • Role-based access control (RBAC) — Permission catalog {namespace}.{resource}.{action}, roles, assignments
  • Application registry — Register OAuth clients, issue M2M API keys
  • Audit log — Who did what, when, from where

User stories

Developer integrating PIP:

"I want users of my app to log in with a Pcampus account without me having to build an auth system." → Register an application → receive an OAuth client → implement the authorization code flow

Org admin:

"I want the marketing team to access Content OS but not be able to edit user accounts." → Create a content-editor role with permissions content-os.access, content-os.calendar.write → assign to the member

End user:

"I want to add my phone number and billing address." → Go to Console → Profile → add contact + address

How it works

Data model

Integration with other services

Every service calls POST /access/check before authorizing every request.

API overview

MethodEndpointDescription
GET/identity/meCurrent user profile
PATCH/identity/meUpdate profile
GET/organizationsList user's orgs
POST/organizationsCreate org
POST/access/checkCheck permission
POST/access/rolesCreate role
POST/access/assignmentsAssign role
POST/applicationsRegister application
POST/applications/:id/api-keysCreate API key
POST/oauth2/tokenGet OAuth token

Full API Reference →