|
| 1 | +# 0. Template |
| 2 | + |
| 3 | +Date: 2025-02-14 |
| 4 | + |
| 5 | +## Status |
| 6 | + |
| 7 | +Accepted |
| 8 | + |
| 9 | +## Context |
| 10 | +Our application requires a secure authentication mechanism. We are considering replacing our current session-based authentication with OAuth2. |
| 11 | +With the OAuth2 based authentication we want to address the following problems: |
| 12 | + |
| 13 | +1. Our identity provider (Keycloak) has no control over application access after the initial login |
| 14 | +2. A session can last 12 hours or longer which gives an attacker a lot of time in case of a breach |
| 15 | +3. There is no interoperability between Neuris systems meaning users would have to authenticate for each system |
| 16 | +4. The OAuth2 concept as we used it was misused since a client was used instead of a resource server |
| 17 | + |
| 18 | +## Decision |
| 19 | +We have decided to implement OAuth2 for authentication instead of continuing with session-based authentication. |
| 20 | +In detail this means: |
| 21 | +- In our setup the frontend will serve as a OAuth2 client while the backend serves as a resource server |
| 22 | + - Thus, Keycloak regains control over application access |
| 23 | + - A token only lasts 1 minute reducing the impact on theft while still keeping the app usable |
| 24 | +- We will use the OAuth2 authentication code flow with PKCE |
| 25 | + - PKCE is necessary since we don't have a confidential client which could be used with a client secret |
| 26 | +- We will use Keycloak.js as client library because it is |
| 27 | + - lightweight |
| 28 | + - focused on what we need |
| 29 | + - is directly maintained by RedHat together with the Keycloak app. |
| 30 | +- The backend uses the Spring Boot standard library for OAuth2 Resource Server which is recommended by the Keycloak developers |
| 31 | +- We use JWTs (Java Web Token) |
| 32 | + - Which works without introspection (as opposed to opaque tokens) thus, we need fewer network calls |
| 33 | + - There is no sensitive data in the token we would have to obfuscate |
| 34 | +- A threat modelling workshop is held to understand possible threats coming from this change |
| 35 | + |
| 36 | +## Consequences |
| 37 | +### Positive: |
| 38 | +1. Since the frontend now handles the tokens developers have to keep in mind to keep the token in memory within a closure |
| 39 | +2. The frontend has to be served before authentication thus allowing URLs serving the frontend while not exposing any sensitive URLs |
| 40 | + |
| 41 | +### Negative: |
| 42 | +1. Redis is removed since our authentication setup is now stateless and Redis was only used to synchronize state between pods |
| 43 | + |
| 44 | +## Alternatives Considered |
| 45 | +1. Continuing with Session-Based Authentication: While simpler to implement, it lacks the scalability and interoperability offered by OAuth2 |
| 46 | +2. BFF pattern or various proxys: The idea was rejected since it would add an extra service to maintain while not substantially offering additional security |
0 commit comments