Questions
Session Authversus JWT Auth for Browser FE?- Consideration: converging on a single Auth (OAuth+JWT) for mobile apps, browser apps, and external apps may result in a simpler implementation for API developers.
- If JWT
- Store JWT tokens in Session Cookies or in
LocalStorage?- If Cookies: Backend middleware to retrieve JWT token from session cookie before Django Authentication middleware?
- Security (To be answered)
- What are security repercussions of Implicit Grant and how to protect against them?
- For example, what should the Redirect URL be to protect against misuse of retrieving the OAuth Client ID from JS?
- How do we revoke a token once it's been given out?
- Example patterns: blacklists, versioned tokens, API gateway translation (opaque keys from client, API gateway translates into JWT to service)
- What are security repercussions of Implicit Grant and how to protect against them?
- Is it okay for clients to inspect the JWT payload for information, or should they treat JWTs as effectively opaque?
- Decision: Yes, clients can inspect in order to avoid additional calls to the backend for "simple" data such as username.
- Store JWT tokens in Session Cookies or in
- OAuth Scopes design
- Should it include end-user permissions as well as the application's limitations?
- If yes, how do we separate ownership between micoservices and centralized auth service?
- Decision: No. See API Authorization Notes.
- How are scopes defined/managed? Feature-based or service-based?
- Should it include end-user permissions as well as the application's limitations?
- Auth Service
- Should we use a off-the-shelf Auth service/library, such as Auth0 or KeyCloak?
- How much centralized knowledge does the Auth service in LMS have/need?
- Should we invest now in separating out this service?
- ?
Resources
- https://auth0.com/blog/5-steps-to-add-modern-authentication-to-legacy-apps-using-jwts/
- https://auth0.com/docs/quickstart/backend/django
- https://nordicapis.com/decouple-user-identity-from-api-design-to-build-scalable-microservices/
- OAuth RFC
...