These days I hope every developer has had it banged into them that they should never, under no circumstances, ever, implement their own authentication scheme for an application. It’s one of the most dangerous categories of problems. One that on the face of it appears simple but at almost every step has many more ways to do something badly rather than implement well. Problems that look complicated are less dangerous. We know to leave them to the professionals. They can still get it wrong but at least we played our role correctly…
If you don’t implement your own authenticaton mechanism then you have two options, use a library or offload the responsibility for authentication (and optionally authorization) to another platform. With the latter approach come a myriad of other benefits; Single Sign-On for example.
OAuth2 through OpenID is the most popular protocol for authentication and authorization. Matt has troubleshooted on projects that have had difficulty correctly implementing secure authentication. At the time of writing we are in position where many consultancies that work in the Enterprise Applications marketplace are in the relatively early days of working with modern cloud based authentication schemes. It is very easy to implement these poorly with the risk that your supposedly secure system can be easily compromised. It is important to ensure that penetration testing include a focus on the authentication of resources in any custom application.
Contact Matt
Please contact Matt to discuss your authentication / authorization challenges.