Best practices

Knowing the possibilities of a product and the protocols its support is one thing. Understanding the best way to use it is a different story.

Why not to use the implicit flow?

The implicit flow originates from the time where browsers did not support Cross-Origin Resource Sharing (CORS). The implicit flow was therefore the designated method to use for single-page applications.

However it is less secure because it potentially leaks the access token, for example to the browser's history. And beceause no refresh tokens are emitted, long lived access tokens were often used.

Instead of the implicit flow the authorization code grant is recommened. But unlike the tranditional variant, one that does not require a secret for exchanging the authorization code for an access token.

What to use for mobile apps

For mobile apps, you likely want to use PKCE. PKCE ensures the issueing of an access token to the relying party, even if this application is not served over https, like mobile apps.

In case a mobile application is linked to an https domain it is safe to use the public authorization code grant flow, like you would use for single-page applications.

When to choose SAML?

In general, OpenID Connect is preferred over SAML for newly developed applications.

While before the introduction of OpenID Connect SAML was the protocol to use for authentication, OpenID Connect is the better alternative.

How to use OAuth without navigating the user away to a (remote) identity provider? has implemented OAuth 2.0 Web Message Response Mode.

This specification allows showing an overlay with a login box on your web service. A user stays within the context of the application he is using, but can still make use of secure single-sign on capabilities.

Preventing identity silos

In the early days of software development the only option was to register users and related authorization in every application individually. After a while organization started to realize this does not scale very well. Soon technologies like X.500 and later LDAP directories become common. This solved the problem of identity silos: the phenomenon that every app registers its own list of users.

These directories have their drawbacks. Problems with trust and confidentiality greatly limit the use of LDAP directories in the cloud. On top of this, modern authentication methodologies and multi-factor authentication is difficult to implement with LDAP. A modern solution should still prevent the introduction of new identity silos, and leverage the functionalities of an identity provider. This allows storing identity date in one single source of truth, and leverage all the security and user experience functionalities that come with it.

How to ensure single logout

If you think single-sign on is difficult to implement you probably never though about single logout.

Single logout is around already for years but the number of implementations is limited.

When not to use JSON Web Tokens (JWT)

The advantage of JWT tokens is that one does not depend on a (remote) connection for validating a token and for obtaining related (user) claims.

The disadvantage of solely relying on the JWT signature and not on a (remote) introspection call is that one cannot know if a token has been revoked.

Where to enforce access rights?

In most cases the best practice is to enforce access rights on your endpoints. That is: do not enforce access rights on some middleware layer like an API gateway, but enforce these as close as possible to where your date is or where actions are executed.

In some situations, it is better to enforce access rights on an API gateway. This certainly provides certain management advantages and may provider better insight. In the long run, traditional API gateways can become very hard to manage due to its growing complexity. Solutions exists however to deploy individual so called micro API Gateways close to your applications. One API gateway for every application that you manage.

Authentication methods and preventing phishing attempts


Can I use JWTs without OAuth?

Yes, you can use JSON Web Tokens (JWT) without OAuth. However, this requires inventing your own token issueing protocol.

A central concept within OAuth is the issuing of access tokens. Access tokens could be opaque, but just as well in JWT format. Without using OAuth, you should think of another secure way to issue a JWT to a client system.