Skip to end of metadata
Go to start of metadata
You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 11
Next »
Questions
Session Auth versus JWT Auth for Browser FE?- Consideration: converging on a single Auth (OAuth+JWT) for mobile apps, browser apps, and external apps may result in a simpler implementation for API developers.
- If JWT
- Store JWT tokens in Session Cookies or in
LocalStorage?- If Cookies: Backend middleware to retrieve JWT token from session cookie before Django Authentication middleware?
- Security (To be answered)
- What are security repercussions of Implicit Grant and how to protect against them?
- For example, what should the Redirect URL be to protect against misuse of retrieving the OAuth Client ID from JS?
- How do we revoke a token once it's been given out?
- Example patterns: blacklists, versioned tokens, API gateway translation (opaque keys from client, API gateway translates into JWT to service)
- Is it okay for clients to inspect the JWT payload for information, or should they treat JWTs as effectively opaque?
- Decision: Yes, clients can inspect in order to avoid additional calls to the backend for "simple" data such as username.
- OAuth Scopes design
- Should it include end-user permissions as well as the application's limitations?
- How are scopes defined/managed? Feature-based or service-based?
- Auth Service
- Should we use a off-the-shelf Auth service/library, such as Auth0 or KeyCloak?
- How much centralized knowledge does the Auth service in LMS have/need?
- Should we invest now in separating out this service?
Resources