Jan 31, 2021

This deployed a day late as my Concourse instance fell over.


Shifting gears

This week we’ve changed focus away from building an authentication solution towards personalisation, a very nebulous term which seems to mean different things to different people. The Transition Checker will be going away at some point1, so we need to branch out and integrate with something else on GOV.UK to avoid losing our current cohort of users.

So to that end I’ve opened an RFC to discuss what it’ll look like to have a GOV.UK-wide login session. There are a few challenges with our current architecture which make this tricky:

  • GOV.UK heavily relies on caching. If we start passing around session cookies naively, we’d be sending every request by a logged-in user to our origin servers, even for pages which don’t end up using the cookie.

  • We need to be careful we don’t introduce bugs like caching a page which includes some personalised information (eg, “Hi barrucadu” in the header) and then serving that cached copy to other users.

  • This session cookie needs to be secure and tamper-proof, which suggests signing it; but then we need to share the signing key amongst all our frontend microservices.

  • Which microservice should serve the login and logout pages and do the actual cookie manipulation? It doesn’t really make sense to leave that in the Transition Checker when this is rolled out to all of GOV.UK.

Prototypes? (again)

Last week I mused whether our apps were still prototypes, as they’re running in production and we’re iterating them. This week I’m a bit closer to an answer, which I think is “yes, they are”.

There’s been some more discussions on what exactly the division of work between GOV.UK and Digital Identity will be and, while there are still big unknowns, I think the future is beginning to clear up.


This week I read:

  1. Now that Transition is, after all, done.↩︎