Authentication Mechanism

[ivanLOliveira]

Discuss Authentication Mechanism

Introduction

As part of our project, we need to finalize the authentication mechanism that will be used to secure our API endpoints. Authentication is a critical aspect of our application, ensuring that only authorized users can access certain functionalities and data.

Purpose

The purpose of this discussion is to evaluate different authentication mechanisms, weigh their pros and cons, and decide on the most suitable option for our project's needs.

Suggested Approach

I propose a hybrid approach to our authentication mechanism:

1. JWT (JSON Web Tokens) for WebApp User Authentication
2. API Keys for SDK Communication with the API

Details

1. JWT for WebApp User Authentication

   • Pros:
     • Stateless and scalable.
     • Widely used and supported.
     • Easy to implement and use across various platforms.
   • Cons:
     • Tokens can be large, leading to increased payload size.
     • Needs proper management of token expiration and renewal.
   • Use Case:
     • JWT is well-suited for authenticating users accessing our web application. It allows us to manage user sessions without storing session data on the server, making it more scalable.

2. API Keys for SDK Communication with the API

   • Pros:
     • Simple to implement.
     • Easy to understand and use.
     • Suitable for server-to-server communication.
   • Cons:
     • Less secure if not managed properly.
     • Harder to revoke or rotate keys.
     • Not suitable for user authentication.
   • Use Case:
     • API Keys can be used for authenticating SDKs communicating with our API. This method is straightforward and allows us to manage and monitor access by different SDKs effectively.

Proposed Discussion Points

• Security: How secure is each method in protecting our data and preventing unauthorized access?
• Scalability: Can the method handle a growing number of users and requests?
• Complexity: How complex is the implementation and maintenance of each method?
• Use Case Suitability: Which method best fits our specific use case and project requirements?

Give your feedback!

Please share your thoughts, experiences, and preferences regarding these authentication mechanisms. Consider the pros and cons listed above, and feel free to add any additional insights or options that may be relevant.

Let's aim to reach a consensus on the most suitable authentication mechanism for our project.

Labels: Authentication

[manuelpereiradiconium]

I think JWT+API keys is the best approach.
For security the only concern is on the API keys but given it is a server to server communication it should be enough in my opinion.
For the complexity I think these are the best methods for our system considering ease of use/security, basic auth would be simpler for example but much less secure.

[teixeped]

I also agree this would be the best approach and both Astro and NestJs can implement this fairly easily. Some suggestions:

• Using Astro middleware
• Using NestJs guards

[ivanLOliveira]

I like those finds they will come in handy for sure 👌