makiolaj/GearBox
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases 10 Wiki Activity
Files
73c3d69dba578b5f4bdb49d83d48f4134a7c997d
GearBox/.planning/phases/15-external-authentication/15-DISCUSSION-LOG.md
Jean-Luc Makiola 625862f5ae feat(15-01): add Logto service to Docker Compose and create init script 
- Add Logto OIDC provider to docker-compose.yml and docker-compose.dev.yml
- Create docker/init-logto-db.sql to initialize separate Logto database on Postgres
- Add OIDC env vars (issuer, client ID/secret, auth secret) to app service
- Document all required env vars in .env.example
2026-04-04 20:37:57 +02:00

2.7 KiB
Raw Blame History

Phase 15: External Authentication - Discussion Log

Audit trail only. Do not use as input to planning, research, or execution agents. Decisions are captured in CONTEXT.md — this log preserves the alternatives considered.

Date: 2026-04-04 Phase: 15-external-authentication Areas discussed: Auth Provider Choice, Session Migration Strategy, Login Flow UX, Existing User Migration Mode: --auto --batch (all decisions auto-selected)

Auth Provider Choice

Option Description Selected
Logto Lightweight, purpose-built auth, no Redis, first-class OIDC, simpler deployment
Authentik Full IdP suite, more features but heavier, may need Redis, more complex setup

User's choice: Logto (auto-selected) Notes: Matches project's "no Redis" out-of-scope constraint. Logto is simpler to deploy and maintain for a single-app use case.

Session Migration Strategy

Option Description Selected
Replace with OIDC session management Logto handles sessions, remove users/sessions tables from GearBox
Hybrid — keep GearBox sessions populated from OIDC Validate OIDC on login, create local session for subsequent requests
Token-only — validate OIDC token on every request No local sessions, every request validates against Logto

User's choice: Replace with OIDC session management (auto-selected) Notes: Simplifies the codebase by removing credential management from GearBox entirely. API keys remain as the programmatic access path.

Login Flow UX

Option Description Selected
Redirect to Logto login page Standard OIDC redirect, Logto handles UI for login/register/reset
Embedded login form via Logto SDK Use Logto's SDK to render login inline within GearBox

User's choice: Redirect to Logto login page (auto-selected) Notes: Standard OIDC pattern. More secure, less maintenance — Logto owns the login/registration UX.

Existing User Migration

Option Description Selected
Manual re-registration on Logto User creates account on Logto, migration script links to GearBox data
Automated import from GearBox users table Script creates Logto user from existing credentials

User's choice: Manual re-registration on Logto (auto-selected) Notes: Only one existing user — automation not worth the complexity.

Claude's Discretion

  • Logto SDK choice
  • Token storage mechanism
  • Logto configuration and branding
  • User ID mapping strategy
  • E2E test auth approach

Deferred Ideas

None — discussion stayed within phase scope

Reference in New Issue View Git Blame Copy Permalink