You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We’re considering an update to the IAuth interface that would remove user management capabilities. Currently, the interface requires implementers to provide a set of lambda functions for CRUD operations on users. For example, here’s the lambda that implements the create user functionality:
These lambdas are attached to the Control Plane API Gateway and respond to requests to the /users endpoint. For instance, the create user lambda is set as the target for the POST /users endpoint of the Control Plane API here:
Upon examination, SBT’s role in Control Plane user management is quite minimal:
It receives and authorizes requests to the /users endpoint on the SBT Control Plane.
It forwards the request to the Identity Provider’s (IdP) API.
It receives the response from the IdP and forwards it back to the caller.
Essentially, the SBT Control Plane acts as a proxy for the IdP’s API, which doesn’t provide significant value to users as they can directly access the IdP’s API. Furthermore, from a development and maintenance perspective, replicating and keeping up-to-date with the full set of capabilities provided by a given IdP for managing users requires considerable effort.
While the /users endpoint of Control Plane does provide the benefit of exchanging an SBT token for a token valid for the IdP’s API, this comes with drawbacks. It often means missing out on sophisticated access control mechanisms provided by the IdP’s API due to the complexity of mapping these back to SBT. We need to consider whether this benefit justifies the effort involved.
In conclusion, we’re proposing to remove the user management capabilities from the Control Plane API. We believe that the current implementation doesn’t justify the effort required, and users would be better served by communicating directly with the IdP’s API when managing Control Plane users.
We’d like to open this up for discussion. What are your thoughts on this proposed change?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hello everyone,
We’re considering an update to the IAuth interface that would remove user management capabilities. Currently, the interface requires implementers to provide a set of lambda functions for CRUD operations on users. For example, here’s the lambda that implements the create user functionality:
sbt-aws/src/control-plane/auth/auth-interface.ts
Line 170 in 7c2705c
These lambdas are attached to the Control Plane API Gateway and respond to requests to the
/usersendpoint. For instance, the create user lambda is set as the target for thePOST /usersendpoint of the Control Plane API here:sbt-aws/src/control-plane/user-management/user-management.service.ts
Lines 44 to 52 in 7c2705c
Upon examination, SBT’s role in Control Plane user management is quite minimal:
/usersendpoint on the SBT Control Plane.Essentially, the SBT Control Plane acts as a proxy for the IdP’s API, which doesn’t provide significant value to users as they can directly access the IdP’s API. Furthermore, from a development and maintenance perspective, replicating and keeping up-to-date with the full set of capabilities provided by a given IdP for managing users requires considerable effort.
While the
/usersendpoint of Control Plane does provide the benefit of exchanging an SBT token for a token valid for the IdP’s API, this comes with drawbacks. It often means missing out on sophisticated access control mechanisms provided by the IdP’s API due to the complexity of mapping these back to SBT. We need to consider whether this benefit justifies the effort involved.In conclusion, we’re proposing to remove the user management capabilities from the Control Plane API. We believe that the current implementation doesn’t justify the effort required, and users would be better served by communicating directly with the IdP’s API when managing Control Plane users.
We’d like to open this up for discussion. What are your thoughts on this proposed change?
Beta Was this translation helpful? Give feedback.
All reactions