73 lines
2.7 KiB
Markdown
73 lines
2.7 KiB
Markdown
# Phase 15: External Authentication - Discussion Log
|
|
|
|
> **Audit trail only.** Do not use as input to planning, research, or execution agents.
|
|
> Decisions are captured in CONTEXT.md — this log preserves the alternatives considered.
|
|
|
|
**Date:** 2026-04-04
|
|
**Phase:** 15-external-authentication
|
|
**Areas discussed:** Auth Provider Choice, Session Migration Strategy, Login Flow UX, Existing User Migration
|
|
**Mode:** --auto --batch (all decisions auto-selected)
|
|
|
|
---
|
|
|
|
## Auth Provider Choice
|
|
|
|
| Option | Description | Selected |
|
|
|--------|-------------|----------|
|
|
| Logto | Lightweight, purpose-built auth, no Redis, first-class OIDC, simpler deployment | ✓ |
|
|
| Authentik | Full IdP suite, more features but heavier, may need Redis, more complex setup | |
|
|
|
|
**User's choice:** Logto (auto-selected)
|
|
**Notes:** Matches project's "no Redis" out-of-scope constraint. Logto is simpler to deploy and maintain for a single-app use case.
|
|
|
|
---
|
|
|
|
## Session Migration Strategy
|
|
|
|
| Option | Description | Selected |
|
|
|--------|-------------|----------|
|
|
| Replace with OIDC session management | Logto handles sessions, remove users/sessions tables from GearBox | ✓ |
|
|
| Hybrid — keep GearBox sessions populated from OIDC | Validate OIDC on login, create local session for subsequent requests | |
|
|
| Token-only — validate OIDC token on every request | No local sessions, every request validates against Logto | |
|
|
|
|
**User's choice:** Replace with OIDC session management (auto-selected)
|
|
**Notes:** Simplifies the codebase by removing credential management from GearBox entirely. API keys remain as the programmatic access path.
|
|
|
|
---
|
|
|
|
## Login Flow UX
|
|
|
|
| Option | Description | Selected |
|
|
|--------|-------------|----------|
|
|
| Redirect to Logto login page | Standard OIDC redirect, Logto handles UI for login/register/reset | ✓ |
|
|
| Embedded login form via Logto SDK | Use Logto's SDK to render login inline within GearBox | |
|
|
|
|
**User's choice:** Redirect to Logto login page (auto-selected)
|
|
**Notes:** Standard OIDC pattern. More secure, less maintenance — Logto owns the login/registration UX.
|
|
|
|
---
|
|
|
|
## Existing User Migration
|
|
|
|
| Option | Description | Selected |
|
|
|--------|-------------|----------|
|
|
| Manual re-registration on Logto | User creates account on Logto, migration script links to GearBox data | ✓ |
|
|
| Automated import from GearBox users table | Script creates Logto user from existing credentials | |
|
|
|
|
**User's choice:** Manual re-registration on Logto (auto-selected)
|
|
**Notes:** Only one existing user — automation not worth the complexity.
|
|
|
|
---
|
|
|
|
## Claude's Discretion
|
|
|
|
- Logto SDK choice
|
|
- Token storage mechanism
|
|
- Logto configuration and branding
|
|
- User ID mapping strategy
|
|
- E2E test auth approach
|
|
|
|
## Deferred Ideas
|
|
|
|
None — discussion stayed within phase scope
|