Authentication & Authorization

In practically all web applications we have a Sign-in mechanism. When signed in, you are identified in the web application and can: Leave comments, buy products, change personal settings and use whatever functionality the application offers. The ability of your application to verify that you are who you say you are is called Authentication. Whereas Authorization means permissions mechanism for different users.

There are a couple of ways you can go with authentication and authorization:

The manual solution – Most web frameworks have support for authentication and authorization (usually with JWT tokens). If not, there’s always a free 3rd party library available. This means you can manually implement basic auth mechanisms.
External Identity Server – There are several open-source and commercial identity providers that implement the OpenID Connect standard. This means that client-server communication will involve a dedicated identity server. The advantages are that these servers have already implemented a bunch of auth features for you. These might include:
- Single sign-on and sign-out with different application types
- Built-in support for external identity providers (Google, Facebook,…)
- Role-based permissions (authorization)
- Multi-factor authentication
- Compliant with standards like ISO, SOC2, HIPAA,…
- Built-in analytics and logs

Your cloud provider probably has an identity server, like AWS Cognito or Azure Active Directory B2C.

Notable open-source solutions are: IdentityServer, MITREid Connect, Ipsilon.

Notable commercial solutions: Auth0, Okta, OneLogin

Make sure to do some price calculations before committing to a commercial solution like Auth0. They tend to get kind of pricey and using an open-source implementation is also a good option.

PreviousDeployments NextLogging

Last updated 5 years ago

Was this helpful?