Team, we're at a crossroads on the security architecture for our new system. We need to decide between two distinct approaches:
Option A: A simple, self-managed JWT system. In this model, we build our own authentication logic. A user logs in with credentials, our server generates a signed JWT containing their identity and permissions, and sends it back. Our APIs would then be responsible for validating this token on every request. This is a stateless, self-contained approach strictly for our own internal clients.
Option B: A centralized OAuth 2.0 framework. In this model, we use a dedicated authorization server (like Okta, Keycloak, or another provider). Our applications would redirect users to this server for login and consent. The server would then issue tokens that our APIs consume. This standardizes our security and prepares us for future needs like third-party app integration or microservices.
Ideas?
Team, we're at a crossroads on the security architecture for our new system. We need to decide between two distinct approaches:
Option A: A simple, self-managed JWT system. In this model, we build our own authentication logic. A user logs in with credentials, our server generates a signed JWT containing their identity and permissions, and sends it back. Our APIs would then be responsible for validating this token on every request. This is a stateless, self-contained approach strictly for our own internal clients.
Option B: A centralized OAuth 2.0 framework. In this model, we use a dedicated authorization server (like Okta, Keycloak, or another provider). Our applications would redirect users to this server for login and consent. The server would then issue tokens that our APIs consume. This standardizes our security and prepares us for future needs like third-party app integration or microservices.
Ideas?