From d6445a463a8b1983e1a5abdbfb26895d3709062c Mon Sep 17 00:00:00 2001
From: Daniel Fernandes <danieljosephfernandes@gmail.com>
Date: Thu, 12 Feb 2026 13:48:38 +0000
Subject: [PATCH] Add docs/tutorials/local-auth.md

---
 docs/tutorials/local-auth.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 docs/tutorials/local-auth.md

diff --git a/docs/tutorials/local-auth.md b/docs/tutorials/local-auth.md
new file mode 100644
index 0000000000..851968db16
--- /dev/null
+++ b/docs/tutorials/local-auth.md
@@ -0,0 +1,16 @@
+# Run Auth Locally
+
+BlueAPI can be secured using OIDC authenticaiton. For development it can be useful to run a containerised version of the OIDC stack, to serve a local instance of BlueAPI.
+
+To run the stack:
+
+1. In the root directory run `git submodule update --init --recursive` to initialise the example-services repo
+2. Run `docker compose up -d` to launch an instance of NumTracker, RabbitMQ, Keycloak, Tiled, OPA and a number of IOCs, in detached mode
+3. Run `blueapi -c tests/system_tests/config.yaml serve` to launch BlueAPI configured to use the launched stack. This may take a while, as BlueAPI will attempt to connect to a number of devices via Channel Access
+
+To log in through the BlueAPI CLI:
+
+1. Run `blueapi -c tests/system_tests/config.yaml login`
+2. Follow the login prompt to Keycloak, then log in with the username `admin` and password `admin`
+3. When promped by Keycloak, grant BlueAPI access to the listed privileges
+4. Run `blueapi controller plans` to check that the log in has succeeded