From 61d9e6bd5c08179f090490cd3e1669d8b44b551c Mon Sep 17 00:00:00 2001 From: Colin Flanagan Date: Thu, 12 Sep 2019 09:49:14 -0400 Subject: [PATCH 1/2] Initial thoughts --- recommendations/details/customer_facing_auth.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 recommendations/details/customer_facing_auth.md diff --git a/recommendations/details/customer_facing_auth.md b/recommendations/details/customer_facing_auth.md new file mode 100644 index 0000000..100ca7e --- /dev/null +++ b/recommendations/details/customer_facing_auth.md @@ -0,0 +1,12 @@ +# Customer Auth for public-facing website and App + +## Current State +- The Moda website currently uses a combination of [Devise](https://github.com/plataformatec/devise) and [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) to provide authentication and tokens to customers. +- There are some limited authorization functionality such as private trunkshows. + +## Migrating to Identity as a Service (such as Auth0) +- Decrease internal security threat profile +- Anomaly-detection and Bot protection utilities +- Potentially enhance authorization features to customers. For example, VIP customers could be given access to view/purchase items not on the site, private trunkshows, etc. +- Authorization can be done in a session-less manner. +- It will cost more From 11a06c7f0e31d72b8a6777fe769b05ed62992379 Mon Sep 17 00:00:00 2001 From: Colin Flanagan Date: Thu, 16 Apr 2020 09:53:46 -0400 Subject: [PATCH 2/2] notes on auth for internal apps --- recommendations/details/internal_auth.md | 34 ++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 recommendations/details/internal_auth.md diff --git a/recommendations/details/internal_auth.md b/recommendations/details/internal_auth.md new file mode 100644 index 0000000..4760bce --- /dev/null +++ b/recommendations/details/internal_auth.md @@ -0,0 +1,34 @@ +# Authentication and authorization for internal users and applications +- Pink, Pumo and Stylist Suite currently uses a combination of [Devise](https://github.com/plataformatec/devise) and [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) to provide authentication and tokens to admin users. +- Users are assigned roles that are composed of fine-grained permissions +- Validating a user request against their permissions requires a DB request +- Very little separation between users and customers +- Currently not using scopes for access control +- Missing OIDC features like audiences, JWT and UserInfo endpoint (could be enabled through Doorkeeper extensions) + +# AWS Elastic Load Balance and API Gateway +- support vanilla OIDC providers +- simpler since microservice endpoints only need to think about tokens and not the entire auth flow + +# GSuite as an identity provider +- All employees are GSuite users +- Easy to provision/ deprovision +- Difficult to assign roles and persist them in JWT +- What about third parties that are not in Gsuite? + +# JSON Web Tokens +- cryptographically signed +- decentralized +- can be inspected (in a web browser, for example) + +# Identity as a Service +## Auth0 + - Used by Vendor Portal + - Supports enterprise integrations (GSuite) + - security certifications + - Audit trail + - Many more things +## Cognito + - Supports any OIDC identity provider + - Provided Auth primitives as opposed to a polished Auth product +