# Identity View

This view contains the strategy of how we're handling identity, authentication, and authorisation.

# Principles

  • Auth0 is the data leader for identity

    We want to make sure that we only have a single source of truth for our identity. There are other systems who might require an email, for example, MailChimp. We'll push the contact information from Auth0 to MailChimp.

  • Replicate the identity data in individual contexts for query purposes

    Auth0 has 2 requests per second rate limit for its Management API. This is the API that we're using to query contacts from our backend and it will definitely not scale.

  • Define the list of permissions per API

    Auth0 supports per API permissions definition. If we have an Inventory API, for example, we will create an Inventory API definition in Auth0, and define the list of permissions there.

# Sequence: Unauthenticated API Request

This sequence diagram shows how we secure our API endpoints when no authentication is required, but the resources are still sensitive enough to be protected, therefore requiring the use of captcha.

# Sequence: User Authenticated API Request

This sequence diagram shows how we secure our API endpoint when a user has authenticated themselves.