Passport.js as AuthenticationStratedgy for JWT support

[thecaffeinatedengineer]

I am currently investigating vendure to use as a part of a microservices system. Looking at how auth is handled in vendure, the two auth options available are cookies and bearer tokens (not JWT tokens).

Done some digging and found out that JWT's actually used to be supported but they were removed, I understand why.

However not sure the bearer tokens support my use case. My use case is that ideally registration will be handled by vendure and (other) microservices will rely on the tokens generated by vendure for user identification.

The token should have additional attributes such as added roles (for the other services) and as it is shared, a JWT's public key to validate users and handle auth in other systems. These tokens should also usable by SPA's and native apps.

My question is, can I still use the normal bearer tokens for my use case? The only way I see for now is creating a GetUser rest api which services can call (passing the token) or something to get users details so we can identify them. This means unnecessary calls to the db or redis If I implement caching, it doesn't sound like it will scale well.

Alternatively I could implement a PassportAuthenticationStrategy which creates JWT's, leveraging as much as I can from Passport.js but this sounds like overkill.

Is there a solution I am missing, also is the first solution doable ?

[michaelbromley]

Hi Ian,

If you want this auth token to hold data relevant to other non-vendure services as in a JWT, this is getting slightly beyond the scope of Vendure's native auth mechanism. You might want to consider using an external identity provider like e.g Keycloak, and then integrating that with Vendure as well as the other services.

If you did choose to use Vendure's auth (which could make sense if you value keeping the system more simple), then a custom REST endpoint that returns data based on the session token sounds feasible to me. Using a Redis-based session cache should scale pretty well I'd imagine.