RFC: Authentication System Design
Status: Draft
Author: John Architect
Last Updated: 2024-01-15
Overview
This RFC describes the authentication system architecture for our new API platform. We will use OAuth2 with JWT tokens for stateless authentication.
Architecture Decision
After evaluating several options, we've decided on the following architecture:
| Component | Technology | Justification |
|---|---|---|
| Auth Server | Custom (Python/FastAPI) | Full control over token lifecycle |
| Token Format | JWT (RS256) | Stateless, verifiable by any service |
| Token Store | Redis | Fast lookup for refresh tokens |
Security Requirements
- All endpoints must use HTTPS
- Access tokens expire after 15 minutes
- Refresh tokens expire after 7 days
- Failed login attempts are rate-limited (5 per minute per IP)
Open Questions
- Should we support SAML for enterprise clients?
- Do we need to support multi-factor authentication in V1?