0003. Authentication and User Management Approach
Status: Accepted Date: 2025-10-08 Context: Continuation of ADR-0002 (Quarkus adoption); defines authentication, authorization, and user data management.
Context
The platform requires secure, standards-based authentication and user management for both web and API clients. Key requirements include:
- Support for OAuth 2.0 / OIDC flows (for future integration with third-party login providers).
- Secure token-based access for API consumers.
- Minimal operational burden for the small engineering team.
- Compatibility with Quarkus security extensions and AWS deployment model (ECS + Aurora PostgreSQL).
- Flexibility to evolve toward multi-tenant and enterprise scenarios.
Two primary models were considered:
- Application-managed identity using Quarkus Security JPA, storing credentials and roles in our own database.
- Delegated identity management using a managed OIDC provider, specifically AWS Cognito.
Decision
We will adopt AWS Cognito as the primary authentication and user-management service. Quarkus will integrate via the quarkus-oidc extension, treating Cognito as an external OpenID Connect provider.
Rationale
| Consideration | Cognito (Chosen) | Quarkus Security JPA (Not Chosen for now) |
|---|---|---|
| Operations | Fully managed service, handles signup, password reset, MFA, social login | Requires us to store and hash passwords, build account flows |
| Security posture | Offloads credential handling and compliance to AWS | Higher risk surface; must implement secure storage and policies ourselves |
| Scalability | Auto-scales with user base; integrates with AWS IAM | Scales with our Aurora DB; more tuning required |
| Integration | Works natively with Quarkus OIDC and ALB OIDC auth | Tight coupling to DB schema; limited federation options |
| Future flexibility | Supports enterprise federation (SAML, OIDC, AD) | Limited to in-app users unless refactored later |
Given limited operational capacity at this stage, Cognito provides a secure, standards-compliant baseline while allowing later customization if business needs demand internal user management.
Implementation Outline
In Quarkus
quarkus.oidc.auth-server-url=https://cognito-idp.<region>.amazonaws.com/<user-pool-id>
quarkus.oidc.client-id=<client-id>
quarkus.oidc.credentials.secret=<client-secret>
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=openid,profile,email- Tokens (JWTs) are verified automatically by Quarkus OIDC.
- Role/claim mapping handled via Cognito groups or custom attributes.
- Application endpoints protected via
@RolesAllowedandSecurityIdentity.
Persistence Layer
- Aurora PostgreSQL remains the primary store for domain data.
- Minimal user references (e.g. Cognito
subUUID, profile metadata) stored as foreign keys — no passwords.
Local Development
- Use AWS Cognito in a development sandbox environment using AWS free tier.
- Quarkus's
quarkus.oidc.devservices.enabled=truecan spin up a local OIDC provider automatically when needed for unit testing. - Cost-effective: AWS Cognito free tier (50,000 monthly active users) is significantly cheaper than LocalStack Pro ($40/user/month).
Future Alternatives
If business needs require:
- Tighter integration or internal credential control, migrate selectively to Quarkus Security JPA (passwords stored in Aurora).
- Cross-platform login (Google, Apple, LinkedIn), leverage Cognito’s Identity Federation features.
- Enterprise SSO, integrate existing IdPs via Cognito Federation or replace Cognito with Keycloak.
Consequences
Positive
- Removes responsibility for credential lifecycle, MFA, and compliance.
- Simplifies Quarkus configuration (OIDC instead of JPA-based security).
- Scales seamlessly within AWS ecosystem.
Negative / Trade-offs
- Introduces external dependency (Cognito availability, cost model).
- Requires internet connectivity for development (vs local emulation).
- Less direct control over user-table schema and credential policies.
Updated 10 days ago