CAS 2.0 #548
Description
CAS (Central Authentication Service) is a centralized authentication and user management service for an ecosystem of applications. It serves as a single Identity Provider (IdP) that allows multiple applications to delegate user authentication and identity management, eliminating the need for each application to implement its own authentication system.
Core Concept
Instead of each application maintaining its own user database and authentication logic, CAS provides a unified service where:
- Users have a single account that works across all applications in the ecosystem
- Applications integrate with CAS through API to authenticate users
- Authentication methods are centralized and can be updated across all applications simultaneously
Key Benefits
- Centralized Management: User accounts, authentication methods, and security policies are managed in one place
- Simplified Integration: Applications don't need to implement complex authentication logic
- Modern Security: Support for cutting-edge authentication methods like Passkey (WebAuthn/FIDO2)
- Consistency: Uniform authentication experience across all applications
Project Goals
The development of this new CAS service is driven by two main objectives: educational and practical.
Educational Goals
The primary purpose of this project is to learn and master modern authentication technologies and development practices:
Learning Modern Authentication Methods and Protocols
- WebAuthn/FIDO2: Understanding passwordless authentication
- Passkey Implementation: Learning how to implement and integrate Passkey authentication
- Security Best Practices: Studying modern security patterns, challenge-based authentication, and cryptographic validation
- Authentication Flows: Understanding registration and authentication flows for biometric and hardware-based authentication
Learning Rust and the Axum/Tokio Ecosystem
Practical Goals
Beyond learning, this project aims to address and fix the limitations of the current CAS implementation:
Technology Stack Modernization
- The existing CAS is built on outdated Node.js with legacy dependencies without good system of types
- Not fully cloud compatible:
- We don't want to manage monogodb in k8s cluster and don't have resources to have managed
- System of static files storage on disk requires persistent storage in k8s
Authentication Method Enhancement
- The existing CAS only supports traditional email/password and basic OAuth flows
Architecture Simplification
- Complex multi-service architecture with Redis, Kue workers, and multiple dependencies (7 services)
Roadmap
MVP
The MVP focuses on core Passkey authentication functionality, providing a working foundation for user authentication without passwords.
Function requirements
Passkey Registration
Passkey Authentication
Token Management
- JWT access token generation after successful authentication
- JWT refresh token generation
Temporary Users
- Create temporary user