jnodorp-jaconi
commented
2 years ago See https://www.innoq.com/en/blog/cookie-based-spring-security-session/ as a starting point.
Open jfiedler-jaconi opened 2 years ago
jnodorp-jaconi
commented
2 years ago See https://www.innoq.com/en/blog/cookie-based-spring-security-session/ as a starting point.
MORP currently relies on the Spring Security session cookie (which is an id referencing state in JVM memory) to hold the authentication state. This works fine with a single MORP replica but will not work with multiple MORP replicas. Once we have replicas, we would need persistent storage (e.g. via Redis).
As low barrier alternative for Redis (which we will recommend for production) we should support an optional stateless mode where we move the entire authentication state into a cookie that is submitted with every client request back to MORP. Such a mode will lower the entry barrier to trying out MORP. We need to document limitations of this mode (i.e. size of JWT tokens transported via cookies).