Github user amiryesh commented on the issue: https://github.com/apache/incubator-trafficcontrol/pull/567 @limited Hi, I agree with your view on the benefits of using industry standard software wherever applicable. Let me share my view on how the API GW and the auth server are to be considered. IMO, the auth server and API GW implementation is to be considered as an entry point towards breaking the TO monolith into microservice architecture. The auth server is far from being production grade. It does not support standard OAuth2 flows. It probably has security flaws. More than that, users management and access control is implemented as a part of TC. I believe that in production, one would want to use different identity services to manage her users, and implement more complex authentication flows. The API GW architecture allows you to manage your users externally and provide a JWT with proper TO claims. However, this is a very complex setup. We would want users to be able to run a simple working TC instance as easy as possible. This is why the auth server was implemented. The same rational applies also to the API GW implementation. I agree that if we can configure nginx to do what we need it is most likely a better fit for production. What we do get from the API GW is custom authorization code. We have our own simple code that can verify our custom claims. I don't have much nginx experience, I think that custom authorization logic is likely to be harder to configure, but maybe I'm wrong. Hope that makes sense, /amiry
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---