From 61d9e6bd5c08179f090490cd3e1669d8b44b551c Mon Sep 17 00:00:00 2001 From: Colin Flanagan Date: Thu, 12 Sep 2019 09:49:14 -0400 Subject: [PATCH 1/2] Initial thoughts --- recommendations/details/customer_facing_auth.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 recommendations/details/customer_facing_auth.md diff --git a/recommendations/details/customer_facing_auth.md b/recommendations/details/customer_facing_auth.md new file mode 100644 index 0000000..100ca7e --- /dev/null +++ b/recommendations/details/customer_facing_auth.md @@ -0,0 +1,12 @@ +# Customer Auth for public-facing website and App + +## Current State +- The Moda website currently uses a combination of [Devise](https://github.com/plataformatec/devise) and [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) to provide authentication and tokens to customers. +- There are some limited authorization functionality such as private trunkshows. + +## Migrating to Identity as a Service (such as Auth0) +- Decrease internal security threat profile +- Anomaly-detection and Bot protection utilities +- Potentially enhance authorization features to customers. For example, VIP customers could be given access to view/purchase items not on the site, private trunkshows, etc. +- Authorization can be done in a session-less manner. +- It will cost more From d723c1b8bbd2ead084b87c20d365962a6f395d36 Mon Sep 17 00:00:00 2001 From: Colin Flanagan Date: Thu, 12 Sep 2019 10:12:25 -0400 Subject: [PATCH 2/2] Initial work --- recommendations/details/internal_auth.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 recommendations/details/internal_auth.md diff --git a/recommendations/details/internal_auth.md b/recommendations/details/internal_auth.md new file mode 100644 index 0000000..63ad087 --- /dev/null +++ b/recommendations/details/internal_auth.md @@ -0,0 +1,22 @@ +# Authentication and authorization for internal users and applications +- Pink, Pumo and Stylist Suite currently uses a combination of [Devise](https://github.com/plataformatec/devise) and [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) to provide authentication and tokens to customers. +- In many cases, every HTTP request is validated via a database request + +# AWS Elastic Load Balance and API Gateway +- support vanilla OIDC providers +- simpler since microservice endpoints only need to think about tokens and not the entire auth flow + +# GSuite as an authentication provider +- All employees are GSuite users +- Easy to provision/ deprovision +- Difficult to assign roles and persist them in JWT +- What about third parties that are not in Gsuite? + +# Identity as a Service (Auth0) +- Supports enterprise integrations (GSuite) +- security certifications +- Audit trail + +# Other microservice architectures +- Kubernetes +- Service mesh approaches (Istio, ...)