Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenAPI convert client to application #3

Merged
merged 3 commits into from
Feb 22, 2024
Merged

OpenAPI convert client to application #3

merged 3 commits into from
Feb 22, 2024

Conversation

SirNexus
Copy link
Contributor

In an effort to standardize the terminology and abstraction layer of the interface we're trying to build, it makes sense to transition away from emitting the client concept in the API and instead use the application concept. Here is an overview of the new API:

Screen Shot 2024-02-20 at 8 12 19 AM

As you can see, we've moved the creation of an application to applications/oauth2. By restricting the creation of applications to be a specific type, we get several benefits:

  1. Extension points in the API to allow for creation of other kinds of applications
  2. Lowering of implementation overhead and complexity.

Take, for instance, an alternative approach that I investigated:

image

This API allows hooks for the creation of the application, and then the subsequent registering of the application as an OAuth2 client. This separates the application creation process from the registering of the application as a particular kind of client. This has several drawbacks:

  1. The API is more complex, requiring more endpoints be implemented.
  2. We have now introduced a state in our application where it lives in our IDP Connect implementation but not the AWS Cognito database. This adds increased surface area for bugs and maintenance complexity.
    • What happens if you associate an API Product with an application before you register it as an OAuth client? We'll have to store state. What happens if you then register it as an OAuth application? We'd have to update that state to reflect what lives in our IDP Connect state.

Overall, we want to avoid having to have state in our application. The purpose of our SPI is to provide simply a bridge between the Portal Server's source of truth and and backing storage for credentials. This layer should be as minimal as possible, and this API accomplishes that.

Keep in mind also that this means for a single logical application in Portal, we will have to create independent applications of different types if, say, we eventually support a applications/api-keys endpoint. I think this tradeoff is well worth it for the implementation and cognitive complexity savings this approach allows for.

marcogschmidt
marcogschmidt reviewed Feb 22, 2024
View reviewed changes
api/v1/openapi.yaml Outdated Show resolved Hide resolved
marcogschmidt
marcogschmidt reviewed Feb 22, 2024
View reviewed changes
api/v1/openapi.yaml Outdated Show resolved Hide resolved
@SirNexus SirNexus merged commit f38cf67 into main Feb 22, 2024
4 checks passed
@SirNexus SirNexus deleted the openapi-oauth-client branch February 22, 2024 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcogschmidt marcogschmidt marcogschmidt left review comments

@jmhbh jmhbh jmhbh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@SirNexus @jmhbh @marcogschmidt