# Phase 15: External Authentication - Discussion Log

> **Audit trail only.** Do not use as input to planning, research, or execution agents.
> Decisions are captured in CONTEXT.md — this log preserves the alternatives considered.

**Date:** 2026-04-04
**Phase:** 15-external-authentication
**Areas discussed:** Auth Provider Choice, Session Migration Strategy, Login Flow UX, Existing User Migration
**Mode:** --auto --batch (all decisions auto-selected)

---

## Auth Provider Choice

| Option | Description | Selected |
|--------|-------------|----------|
| Logto | Lightweight, purpose-built auth, no Redis, first-class OIDC, simpler deployment | ✓ |
| Authentik | Full IdP suite, more features but heavier, may need Redis, more complex setup | |

**User's choice:** Logto (auto-selected)
**Notes:** Matches project's "no Redis" out-of-scope constraint. Logto is simpler to deploy and maintain for a single-app use case.

---

## Session Migration Strategy

| Option | Description | Selected |
|--------|-------------|----------|
| Replace with OIDC session management | Logto handles sessions, remove users/sessions tables from GearBox | ✓ |
| Hybrid — keep GearBox sessions populated from OIDC | Validate OIDC on login, create local session for subsequent requests | |
| Token-only — validate OIDC token on every request | No local sessions, every request validates against Logto | |

**User's choice:** Replace with OIDC session management (auto-selected)
**Notes:** Simplifies the codebase by removing credential management from GearBox entirely. API keys remain as the programmatic access path.

---

## Login Flow UX

| Option | Description | Selected |
|--------|-------------|----------|
| Redirect to Logto login page | Standard OIDC redirect, Logto handles UI for login/register/reset | ✓ |
| Embedded login form via Logto SDK | Use Logto's SDK to render login inline within GearBox | |

**User's choice:** Redirect to Logto login page (auto-selected)
**Notes:** Standard OIDC pattern. More secure, less maintenance — Logto owns the login/registration UX.

---

## Existing User Migration

| Option | Description | Selected |
|--------|-------------|----------|
| Manual re-registration on Logto | User creates account on Logto, migration script links to GearBox data | ✓ |
| Automated import from GearBox users table | Script creates Logto user from existing credentials | |

**User's choice:** Manual re-registration on Logto (auto-selected)
**Notes:** Only one existing user — automation not worth the complexity.

---

## Claude's Discretion

- Logto SDK choice
- Token storage mechanism
- Logto configuration and branding
- User ID mapping strategy
- E2E test auth approach

## Deferred Ideas

None — discussion stayed within phase scope