9. Architecture Decisions
Important, expensive, large scale or risky architecture decisions including rationales. With "decisions" we mean selecting one alternative based on given criteria.
9.1. ADR-001: Selection of Single Sign-On (SSO) Stack
9.1.2. Context
The Dastan ecosystem consists of multiple applications, each with its own authentication and authorization mechanisms. This has led to a fragmented user experience and increased administrative overhead. To address these issues, the organization has decided to implement a Single Sign-On (SSO) solution to provide a seamless and secure user authentication experience across all applications.
9.1.3. Decision
Use Keycloak as the SSO stack for the Dastan ecosystem. Keycloak is an open-source identity and access management solution that provides features such as Single Sign-On, Identity Brokering, and Social Login. It is built on top of the OAuth 2.0 and OpenID Connect standards, and it provides a wide range of authentication mechanisms, including username/password, social login, and multi-factor authentication.
9.1.4. Alternatives
-
1. Home Grown: Create our own SSO solution.
-
2. Authentik: Authentik is a lightweight, but full-featured, open-source SSO solution.
-
3. Authelia: Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO).
-
4. No Solution: Continue with the current fragmented authentication and authorization mechanisms.
9.1.5. Consequences
1. Home Grown:
- Pros
-
-
Full control over the implementation.
-
Customizable to specific requirements.
-
No licensing costs.
-
Potential for deeper integration with existing systems.
-
- Cons
-
-
High development and maintenance costs.
-
High risk of security vulnerabilities.
-
2. Authentik:
- Pros
-
-
Better looking UI.
-
- Cons
-
-
Open tickets of alarming security issues. github.com/goauthentik/authentik/issues/2023
-
Less mature than Keycloak.
-
More difficult setup.
-
3. Authelia:
- Pros
-
-
Extremely lightweight.
-
Easy to setup, with only config files and secrets.
-
- Cons
-
-
No social login.
-
Limited integrations.
-
No user management.
-
4. No Solution:
- Pros
-
-
No effort required.
-
- Cons
-
-
Fragmented user experience.
-
Increased administrative overhead.
-
Security risks due to multiple authentication mechanisms.
-