For effortless login, look no further than user authentication via a Social experience.
Social leverages the likes of Facebook, Google, LinkedIn et al to provide not only robust user authentication but also access to the wealth of user information those platforms maintain.
Hi, I’m Peter Fernandez, and as a CIAM expert, I want to share my experience building modern Social authentication into modern applications.
Browser-based Authentication
Social authentication is typically achieved using a workflow initiated via the Browser — which can be in an embedded context for Mobile or Native Apps. A browser-based workflow provides the most secure mechanism for communication and allows the upstream Social provider platform to dynamically interact with the user if required. It also provides flexibility to leverage modern capabilities such as SSO and Passkeys.
Using Authorization Code Flow
By today’s standard, almost all browser-based interactions that use OIDC and OAuth 2.0 are recommended using Authorization Code Flow; typically leveraging PKCE, which is a must in public client environments. Authorization Code Flow (with PKCE) provides the most secure and trusted context for the authentication of a user and the successful exchange of the resulting token.
Via OIDC…
Social leverages OpenID Connect for user authentication. OpenID Connect (a.k.a. OIDC) is an industry-standard secure authentication protocol that requires minimal configuration. When both ends of a conversation speak OIDC, a valid user-authenticated context is determined via a JWT format ID Token rather than explicit UserID/Password credential validation.
…or OAuth 2.0
In some situations, the upstream conversation with a Social IdP can also leverage the OAuth 2.0 protocol format on which OIDC is built. In this case, an Access Token — the OAuth 2.0 security artefact generated in a valid user-authenticated context — indicates credential validation as well as providing user information via an OIDC protocol-specific /userinfo endpoint.
Why Use Social?
Social is an invaluable tool for improving user experience, enhancing security, and streamlining account management as part of a broader Customer Identity and Access Management (CIAM) solution. By offering users the ability to log in via trusted third-party platforms like Facebook, Google, and LinkedIn, you can reduce friction during the onboarding process, increase customer retention, and lower operational costs.
Buy vs DIY
You could build an in-house custom solution yourself…it’s certainly an option. Particularly if you have a team with the time, capacity, knowledge, and expertise to develop SSO; deploy and maintain Attack Protection; leverage OIDC and/or SAML for Authentication, Social and/or (Enterprise) Federation; implement Passwordless, Passkeys and/or MFA, and/or optionally OAuth 2.0 for API Authorization.
The alternative is to integrate with a SaaS solution provided by one of the popular vendors, and the cost of subscribing to one of these typically depends on the features you use and the number of active consumer identities you have.
With vendor-based CIAM the cost is typically associated with the platform hosting the backend service(s) that deliver Authentication, Authorization, Management and Protection from attack. With consumer-oriented software, much of this infrastructure is already in place: cloud-based “compute”, database, network resources, etc. could be a necessity for your solution, and delivering these at scale may be something you also need to do.
Deploying a standards-based open-source DIY solution within your existing infrastructure might provide a more cost-effective approach — delivering secure and robust CIAM without the need to build everything yourself and with the added benefit of more flexibility and control.
Got questions?
Feel free to reach out!
