Move the authentication stuff into it's own repository.

[asynts]

The idea is to run an authentication server (that deals with user passwords, etc.) in it's own process for security reasons.

The authentication stuff — I mean the stuff in src/Auth — should be moved into the authentication repository.

There must be some sort of API between the servers, as far as I know there wasn't a precise decision made yet.

The authentication stuff is mostly separate already, a direct copy won't be possible though, because this server would connect to a different database.

---

I already created my own repository and slowly start moving the stuff over, however, I don't have much time currently and likely won't be able to complete this in a reasonable amount of time.

[LionelBergen]

Is there a related discussion on the forums or anywhere?

[asynts]

It's scattered all over the place, mostly Discord I think. I can dig up some citations later.

[asynts]

https://discordapp.com/channels/634104110131445811/635510829499940912/676279545091063808

I couldn't find the mentioned forum post, it's probably has not been created yet. That's the best I found.

[ranolfi]

FYI: @misha130 is currently the project leader for codidact/authentication. This was first discussed in a voice call with @cellio's participation, and later more extensively via direct messages among Misha, @DoctaJonez (currently group leader for backend) and myself. Finally, we brought this up on the #backend channel (https://discordapp.com/channels/634104110131445811/635510829499940912/676894062007025707) to clarify some points, following go-ahead from #tech-lead-comms (https://discordapp.com/channels/634104110131445811/641360136908046336/676593669242880032).

The one reference on the forums that I'm able to link to right now is: https://forum.codidact.org/t/how-do-we-separate-distinct-communities/138/123?u=marc.2377.

In essence: A separate project, which will run as a separate service, in its own DB context, naturally (and in fact, it's own DB instance) and shall contain as much (and possibly, all) personally identifiable information as possible, so that both 'core' and the 'general management service') can have only a shallow knowledge about users. I also mentioned once that it "will probably run on a separate server, with stricter hardening and possibly auditing rules".

As always, you are all welcome (and encouraged!) to ping any of us should you require any additional context - which I'm sure will be the case :)

Edit: One possibly relevant forum thread: Storing PII securely.

[muhlemmer]

Hi, I've just came across your project. I've recently written up a Authentication API, with the purposes described here: isolate user sensitive data in its own user context. It emits cryptographic signed JSON web tokens, which is verifiable by relying services using the public keys.

Edit (forgot the link): https://github.com/moapis/authenticator

It uses gRPC and integration into this/any service can be done using protocol buffers generation.

My project is written in Go, but using protocol buffers it should easily integrate with your C# endpoints.

Full disclosure:

1. I really like your project, I want to help out. But I'm not a C# dev.
2. I've open sourced a bunch of my work, trying to get attention for new development contracts. Getting a use base for my projects would definitely help.

If you feel this proposal is inappropriate, I apologize. Just let me know and I'll delete.

[misha130]

Your proposal is not inappropriate, all input is welcome.

Also gRPC is great, I love gRPC.

But we opted out to use IdentityServer for the authentication project because:

1. It supports multiple clients, so if we have google auth or API auth its all easy to add.

2. It enables us many types of authentication, we are currently using auth_code with pkce which is nice.

3. Besides the API it also provides help in the UI (we have UI in the auth project)

4. Its battle tested and in security this is super important

But thank you for your support and for your input.

PS. Next time I'll be doing a back end on go I'll try out your project for sure