[FC-0118] docs: add ADR for standardizing authentication patterns

[Faraz32123]

related issue: #38169

[Faraz32123]

related doc worth reading: https://docs.openedx.org/projects/openedx-proposals/en/latest/best-practices/oep-0042-bp-authentication.html#consequences, we can make changes to the ADR based on the attached doc if needed.

[feanil]

I'm not sure if this distinction is super important. What is the bad thing that happens if your API endpoints support session auth also? Right now DRF in openedx-platform supports both by default: https://github.com/openedx/openedx-platform/blob/master/openedx/envs/common.py#L822-L825 and I don't see a problem with that. I think it's more valuable that all endpoints support any valid auth scheme than having API calls not support the browser.

[Faraz32123]

@feanil I think you have valid point here that we should support any valid auth scheme instead of categorizing them on the basis of their usage.
I am adding a new commit that addresses above point with some additional remains(includes removal of JWT issuers & use of asymmetric keys) of OEP-0042, But it had some consequences(Link) that you might want to look in. That way we can decide the scope of this ADR. And we can remove the part that is not needed for this ADR accordingly.

[feanil]

I think this line is still worth updating to say that both JWT and Session auth are okay but other deprectaed authentication schemes such as bearer are not. What do you think. That way this aligns with the cleanup we want to do.

[robrap]

@feanil: You should review openedx/edx-drf-extensions#284 and all its comments to see if you are missing anything, and you may want to reference it in this ADR.

[robrap]

Additional thoughts. Thanks.

[feanil]

Other auth ADRs (0003, 0008, 0009, 0010, 0013, 0014) live under openedx/core/djangoapps/oauth_dispatch/docs/decisions/. Add a pointer file there linking to this one.

[feanil]

"For all API access" would include admin views, /oauth2/access_token/, and HMAC/webhook endpoints — none of which use JwtAuthentication. Narrow this to "DRF API endpoints that take user-authenticated requests" and list the exclusions for context.

[robrap]

@feanil: Would another way to say user-authenticated requests be password-authenticated or user-password-authenticated? I wasn't clear at first.

As an aside, for Mobile Authentication, there were some endpoints that will accept JwtAuthentication only if it has grant type password.

[feanil]

I think the target state should be not overriding the platform Defaults set in the settings files.

[Faraz32123]

SessionAuthentication and SessionAuthenticationAllowInactiveUser are different. If an endpoint only need JwtAuthentication & SessionAuthentication, then there's no need to add authentication_classes in an endpoint. What do u think?

[feanil]

hmm, ok, yes for places that are currently using SessionAuthenticationAllowInactiveUser we'll need to leave them as is as that would be a breaking change, we'll need to deal with that later. That's fine.