# ADR-004: OIDC-Based Identity with Server-Side Authorization

## Status
Accepted (Extended by ADR-008)

## Date
2026-02-21

## Author
GPUaaS Core Team

## Context
Public-facing platform requires robust authentication and policy-based authorization with future tenant/project scopes.
Upcoming app integrations also require machine identities (service accounts) under the same policy model.

## Decision
Use OIDC-compatible identity provider for authentication and enforce authorization server-side with role/tenant-aware policy checks.
Machine identities (service accounts) follow the same server-side authorization discipline with project-scoped permissions.

## Consequences
- Secure baseline for public access and enterprise expansion.
- Requires policy model discipline and authz test coverage.
- Supports future org/project hierarchy without auth redesign.
- Provides a consistent path for human and machine actors under one authorization framework.
- Tenant/project ownership and membership model details are defined in ADR-008.

## Alternatives Considered
- Custom auth-only JWT stack: rejected for security and lifecycle burden.
- Client-side authz assumptions: rejected as insecure.