Application Architecture

[pozsa]

This issue is meant to document our initial decisions regarding the architecture of the application.

Auth related:

• external OIDC auth service to be used
• backend receives and does authn and authz based on JWT tokens
• apps are configured with accepted OIDC service providers via env vars
• web frontend to use auth code + pkce grant flow (all endpoints implemented on the frontend)
• sdk frontend to use resource owner password credentials grant flow

[pozsa]

Are we all in agreement that we go for separate frontend and backend from the get-go? (i.e. minimal server-side rendering if any)
Do we want an SPA (single page application)?

I wouldn't break down the backend into smaller microservices. Authn and authz are already separate components which is good. I think the rest we can keep as a monolith. Any thoughts on this?

[sbliven]

Agree with single backend service (I'm not sure we'll have enough endpoints to qualify as a 'monolith')

I think SPA is a bad design, both for development and for users.