 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
User authentication has always been a complex topic for organizations building digital services. You need to implement low-level security to manage credentials so that malicious actors cannot perform account takeover attacks and gain access to data that belongs to your customers.
Yet many organizations fail to recognize that user authentication for your digital services will evolve. There are a handful of reasons why you might need to change authentication methods:
Effectively managing these types of concerns requires insight. Therefore, I will explain how you can implement authentication and then easily change the method(s) used, both to keep your security up to date and to meet your business requirements.
Many modern applications use the OAuth 2.0 authorization framework, a family of specifications to secure APIs and their clients. Typically, you use OAuth together with related standards like OpenID Connect. I won’t dive into specific security details here. Instead, I will explain how OAuth provides you with a powerful design pattern to manage user authentication.
When using OAuth, your frontend application (described in OAuth as the client) initiates user authentication by running a code flow using the system browser. The user (described in OAuth as the resource owner) then signs in using the login forms provided by your authorization server. Your client receives an authorization code in the browser response and swaps it for an access token containing the user’s identity and permissions. When calling your APIs, your client uses the access token as a message credential. Here’s an example of a high-level sequence:
It’s common to misunderstand the authentication part of OAuth. Developers might have heard technical statements like, “OAuth is not an authentication protocol” and think OAuth does not help with authentication, or that OAuth should only be used when you need toOgrant access to a third party.
Yet OAuth is a complete and modern security framework for any solution involving APIs, clients and users. Implementing OAuth correctly should provide your clients with flexibility so that you can scale the way user authentication works and thus improve your business options.
The statement that “OAuth is not an authentication protocol” does not mean that OAuth bypasses user authentication. Rather, it means that the OAuth standards do not define the way you prove user identities — they are left to the implementation of the authorization server. The reason for this is that there are myriad possible solutions for user authentication. These are constantly evolving and range from state-of-the-art authentication methods, like passkeys to vendor-specific or bespoke solutions that you may have to use.
To understand how authentication scales with OAuth, you should gain a deeper appreciation of what the code flow enables. The best authorization servers offer many sophisticated categories of user authentication methods:
Sometimes, upgrades to an authorization server provide new security standard implementations. For example, passkeys use WebAuthn standards from the FIDO alliance and logins with digital wallets may require a Digital Credentials Protocols (DCP) implementation.
Yet, above all else, the code flow is a design pattern that provides business value. Rather than developers struggling with security, they outsource it so that user authentication is forever separated from your frontend applications. When you need to change the way users authenticate, you do so at the authorization server with zero code changes to your applications.
You often need to integrate a subset of users with a particular external authentication system. This type of system is usually described as an identity provider (IDP). An IDP often implements an organizational security policy for your organization’s employees or those of your business partners. When an employee joins an organization, an account may be created in the IDP. If the employee later leaves the organization, the account is deactivated to deny access to all systems, including your frontend application.
As a design pattern, the code flow copes elegantly with this requirement. One of the authorization server’s authentication methods should enable a second code flow that the authorization server implements to connect to an OAuth-based external IDP. Your authorization server may also be able to connect to IDPs using other security protocols, like SAML 2.0.
Therefore, when planning your next-generation user authentication, consider how different sets of users will authenticate in the coming years. The following diagram provides an example where you use passkeys as the default. Meanwhile, your employees can log in with their cloud provider, such as Microsoft Entra ID, and each of your business partners can integrate their IDP.
👁 Using passkeys as the default.
Once you have different authentication methods per user type, you need to deal with authentication selection. By default, your authorization server might present a list of all authentication methods to all users. Yet this may lead to confusion if a user chooses the wrong option and cannot sign in.
To prevent this, your authorization server should first enable you to present a form to prompt the user for an identifier, such as a username or email. You can then apply custom logic, such as looking up the user’s tenant ID, to determine the user’s authentication method and then route them directly to it. Such a login user experience can also help to ensure that the same user identity is issued to access tokens when the user’s primary authentication method changes.
The world of authentication is not just about security standards. You could run into requirements that do not fit cleanly into OAuth:
No authorization server provides built-in options that cover all possible ways to authenticate users. You might therefore run into a blocking issue. Some developers may revert to implementing custom authentication within their frontend applications. Yet the developer will then discover that they do not receive the correct access token with which to call their APIs. Any workarounds to enable API access would add significant complexity and technical debt.
Instead, extensibility is a critical behavior to look for in your authorization server. For example, the authorization server may enable you to use or develop plugins that meet your custom authentication requirements. Your frontend applications then continue to run a code flow. You compose the authorization server’s built-in behaviors with custom extensions you develop.
While this approach still requires some development effort, the benefit is you remain within the OAuth framework and implement all responsibilities in the correct places, including auditing of login attempts. You should be able to implement any possible custom authentication and avoid ever being blocked. When required, multiple clients can reuse your customizations.
Finally, when customizing authentication, you should not change your authorization server’s core code. Doing so could result in security mistakes or additional work when you upgrade the authorization server.
You can take full control over authentication requirements in any type of frontend application if you follow these steps:
Therefore, the next time you need to change the way user authentication works, consider upgrading to the OAuth approach to improve the capabilities and reach of your applications. Ensure that your authorization server provides a security toolbox with the design patterns you need to use. You can read much more about the approach in our website resources:
