$customHeader
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Questions

  • Session Auth versus JWT Auth for Browser FE?
    • Consideration: converging on a single Auth (OAuth+JWT) for mobile apps, browser apps, and external apps may result in a simpler implementation for API developers.
    • If JWT
      • Store JWT tokens in Session Cookies or in LocalStorage?
        • If Cookies: Backend middleware to retrieve JWT token from session cookie before Django Authentication middleware?
      • Security (To be answered)
        • What are security repercussions of Implicit Grant and how to protect against them?
          • For example, what should the Redirect URL be to protect against misuse of retrieving the OAuth Client ID from JS?
        • How do we revoke a token once it's been given out?
          • Example patterns: blacklists, versioned tokens, API gateway translation (opaque keys from client, API gateway translates into JWT to service)
      • Is it okay for clients to inspect the JWT payload for information, or should they treat JWTs as effectively opaque?
        • Decision: Yes, clients can inspect in order to avoid additional calls to the backend for "simple" data such as username.
  • OAuth Scopes design
    • Should it include end-user permissions as well as the application's limitations?
      • If yes, how do we separate ownership between micoservices and centralized auth service?
      • Decision: No.  See API Authorization Notes
    • How are scopes defined/managed? Feature-based or service-based?
  • Auth Service
    • Should we use a off-the-shelf Auth service/library, such as Auth0 or KeyCloak?
    • How much centralized knowledge does the Auth service in LMS have/need?
      • Should we invest now in separating out this service?

Resources

  • No labels
$customFooter