I am taking a fresh look at how to best handle authorization and authentication in Dropwizard today. I think it would be a very helpful conversation for all of us if we could share what we're using for authn and authz, and what we feel would be the simplest/best/etc approach today.
Here's my personal take on the requirements are for a modern authn and authz solution: 1) As few external dependencies as possible - e.g. no dependency on external service, such as KeyCloak, Auth0, etc. Should be able to use the app's database as the identity provider for users and role/permissions. 2) Simplicity - many security libraries try to handle every protocol or standard, and end up being hard to configure and troubleshoot. 3) Works cleanly with both indirect clients (views; web form-based login) and direct clients (APIs). Example use case: a view rendered server-side has some JS that fetches data from a resource. 4) Simple role and/or permission based access control. 5) User can optionally authenticate via Facebook, Google, etc. 6) If an account needs to be de-activated, user can be logged out across all devices/sessions within minutes. 7) The project is actively maintained and updated. Bonus: in theory stateless sessions would be nice option to have - although there are probably too many drawbacks to make the complexity worth it (e.g. JWT with short-lived access tokens and long-lived refresh tokens). I don't think there's any Java solution out there that meets the requirements above, but I'd love to hear if anyone has gotten close. -- You received this message because you are subscribed to the Google Groups "dropwizard-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
