Skip to main content
Karma LMS supports multiple authentication strategies and a role-based access control system. This page covers how to configure your authentication method, connect an identity provider, and manage user roles and sessions.

Supported authentication methods

Username and password

Built-in credential-based login. Suitable for smaller deployments where you manage users directly in Karma LMS.

SSO (SAML / OAuth 2.0)

Delegate authentication to an external identity provider such as Okta, Azure AD, Google Workspace, or any SAML 2.0 / OAuth 2.0 compliant IdP.

Token-based (JWT)

Issue and validate JSON Web Tokens for API access and headless or embedded LMS integrations.

Configuring authentication

1

Set authDomain in environment.ts

Open src/environments/environment.ts and set authDomain to your identity provider’s domain:
src/environments/environment.ts
export const environment = {
  production: false,
  apiBaseUrl: 'http://localhost:3000/api',
  authDomain: 'karma-lms.auth0.com',
  appTitle: 'Karma LMS'
};
For production, update environment.prod.ts with your production IdP domain.
2

Configure your identity provider

Register Karma LMS as an application in your identity provider. The required values depend on your auth method:
Configure the following in your OAuth provider:
SettingValue
Allowed callback URLhttps://yourdomain.com/auth/callback
Allowed logout URLhttps://yourdomain.com/logout
Allowed web originshttps://yourdomain.com
Grant typeAuthorization Code with PKCE
src/app/auth/auth.config.ts
export const authConfig = {
  domain: environment.authDomain,
  clientId: 'YOUR_CLIENT_ID',
  authorizationParams: {
    redirect_uri: window.location.origin + '/auth/callback',
    scope: 'openid profile email'
  }
};
3

Map user roles

Karma LMS uses three built-in roles. Map the claims or groups from your IdP to these roles in your backend configuration:
role-mapping.json
{
  "roleMappings": [
    { "idpGroup": "lms-admins", "karmaRole": "admin" },
    { "idpGroup": "lms-instructors", "karmaRole": "instructor" },
    { "idpGroup": "lms-learners", "karmaRole": "learner" }
  ]
}
If you use username/password auth, roles are assigned directly to users in the Karma LMS admin panel under Users → Edit user → Role.

Role-based access control

Karma LMS enforces access at the route and API level based on the authenticated user’s role.
FeatureAdminInstructorLearner
Manage users and rolesYesNoNo
Create and publish coursesYesYesNo
Edit their own coursesYesYesNo
View all learner progressYesYesNo
Enroll learners in coursesYesYesNo
Access assigned coursesYesYesYes
Complete lessons and quizzesYesYesYes
View personal progress reportYesYesYes
Access admin dashboardYesNoNo
Manage system settingsYesNoNo
Angular route guards (AuthGuard, RoleGuard) enforce these permissions on the frontend. Backend API endpoints perform a secondary role check on every request.

Session management

Token expiry

Karma LMS uses short-lived access tokens combined with longer-lived refresh tokens. Default durations:
TokenDefault expiry
Access token60 minutes
Refresh token7 days
Remember me (refresh token)30 days
You can adjust these values in the backend authentication configuration or in your IdP’s application settings.

Refresh token rotation

Karma LMS rotates refresh tokens on each use. If a previously issued refresh token is presented (indicating a possible token theft), the session is immediately invalidated and the user is signed out.
src/app/auth/token-interceptor.ts
// The HTTP interceptor automatically attaches the access token
// and handles 401 responses by attempting a token refresh.
@Injectable()
export class TokenInterceptor implements HttpInterceptor {
  intercept(req: HttpRequest<unknown>, next: HttpHandler): Observable<HttpEvent<unknown>> {
    const token = this.authService.getAccessToken();
    const authReq = token
      ? req.clone({ setHeaders: { Authorization: `Bearer ${token}` } })
      : req;
    return next.handle(authReq).pipe(
      catchError((error: HttpErrorResponse) => {
        if (error.status === 401) {
          return this.authService.refreshToken().pipe(
            switchMap(() => next.handle(this.attachToken(req)))
          );
        }
        return throwError(() => error);
      })
    );
  }
}
All Karma LMS API endpoints require a valid bearer token. Requests without a token, or with an expired token that cannot be refreshed, receive a 401 Unauthorized response and the user is redirected to the login page.
If your Karma LMS API is hosted on a different domain than the frontend, you must configure CORS on the API server to allow requests from the frontend origin. Without this, browser preflight requests will fail and authentication will not work.
cors configuration (Node.js / Express example)
app.use(cors({
  origin: 'https://app.yourdomain.com',
  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
  allowedHeaders: ['Authorization', 'Content-Type'],
  credentials: true
}));
For other backends, consult your framework’s CORS documentation.

Frequently asked questions

Username/password auth: An admin can trigger a password reset from the admin panel under Users → Select user → Reset password. This sends a reset link to the user’s registered email address.SSO auth: Password resets are handled entirely by your identity provider. Direct the user to your IdP’s self-service portal (e.g., the Okta or Azure AD end-user dashboard). Karma LMS does not manage IdP credentials.If the reset email is not received, check that the Karma LMS backend has a valid SMTP configuration and that the user’s email address is correct.
Follow the steps in the Configuring authentication section above. In summary:
  1. Set authDomain in environment.ts to your IdP domain.
  2. Register Karma LMS as an OAuth 2.0 / OIDC or SAML 2.0 application in your IdP.
  3. Supply the callback and logout URLs from the table above.
  4. Configure role mappings so IdP groups map to Karma LMS roles.
  5. Rebuild and deploy: ng build --configuration production.
Contact your IdP’s support team if you need help obtaining client IDs, secrets, or metadata URLs specific to their platform.
Immediate revocation: Deactivate or delete the user in the Karma LMS admin panel under Users → Select user → Deactivate. Active sessions using a valid access token will continue to work until the token expires (up to 60 minutes). Refresh tokens for deactivated users are rejected immediately.SSO users: You must also revoke the session in your identity provider. Karma LMS relies on the IdP for authentication; revoking only in Karma LMS prevents new logins but does not terminate an existing IdP session.Force sign-out: To immediately terminate all sessions for a user, revoke their refresh tokens from the admin panel under Users → Select user → Revoke all sessions.

Build docs developers (and LLMs) love

Get started for freeTalk to us