Authentication

[StaringSkyward]

Spin looks really interesting. Since authentication is such a common requirement what does that look like in Spin, e.g. with an OAuth2 bearer token?

[vdice]

Hi @StaringSkyward and thanks for the question. First, could you clarify the scenario you are thinking of? Authentication to a deployed Spin app or authentication to the Fermyon platform during deployment? (Or perhaps something else entirely?)

The former is outside of Spin's domain currently; in other words, the application itself is responsible for implementing an authentication mechanism and entities making requests to the app would supply creds/token(s) directly, via corresponding app endpoints. Combing through the issue backlog, though, I do see a mention of a middleware approach in Spin, one top use case being authentication: #85. I'd imagine this would be exposed at Spin's configuration level.

Also glad to go into the details if the latter is what you had in mind, i.e. authentication approaches when deploying to the Fermyon platform.

[StaringSkyward]

Thanks @vdice for the quick reply. I was thinking in general terms of a Spin app. I guess what I am trying to understand is in the context of a conventional OAuth2 situation where the spin app receives a bearer token with the request, would you expect the spin app to authenticate that token itself or would it be preferable to keep the spin app as small as possible and authenticate the request outside of spin with something like an API gateway?

[vdice]

would you expect the spin app to authenticate that token itself or would it be preferable to keep the spin app as small as possible and authenticate the request outside of spin with something like an API gateway?

Great foresight. Indeed, today the burden of auth is on the spin app itself, but to your point, this is a common scenario across applications and it would indeed be advantageous to handle it at the API gateway level in Spin, both to reduce app size and eliminate the need for app developers to implement another piece of boilerplate.

I bet @lann and/or others on the team have given this some thought (eg the previously referenced #85.) Let's see if they get a chance to chime in with potential vision(s) here.

[lann]

I think that "middleware" (i.e. #85) or something similar will end up being the right answer for cross-cutting concerns like authentication. Importantly, we want middleware to be implementable as separate Wasm components, which means they should be reusable between applications.