Skip to content

Applications

The end users are typically Authenticated from the Web or Native Mobile applications. Does not matter, if there is existing application which should be ported to use centralized IAM, or application which is developed from scratch. From the security point of view using of custom login pages/forms should be avoided as collecting the user credentials directly in application can be vulnerable to attacks focused on getting username and password. Using custom login pages in applications will also lost the ability to introduce IAM supported features as MFA (multi-factor authentication), social login integrations and SSO (single-sign-on). The recommended approach is to redirect an end user to login page of the trusted Identity Provider (IAM) for Authentication. This is more valid for SSO scenarios where single login page provided by IAM is used by all applications.

Application Types

First Party Applications

These applications are owned by enterprise (your company), so they are considered as the internal applications and they are trusted (we known what is included). Does not matter who developed the application. Application can be developed in house or by contractor. The internal applications do not ask User to grant access to resources on behalf on User (consent). The access is granted implicitly.

Third Party Applications

These application are not owned or managed by enterprise (your company), so they are considered as the external and not trusted (we don't known what is inside) applications. Such applications are developed by 3rd party subjects, which needs to integrate with resources owned by an User and manged by services provided by enterprise itself, or by enterprise customers. The external applications should ask User to grant access (consent) to resources on behalf on User. The access is granted explicitly by an end user.

Web Applications

Nowadays, the most popular applications are SPA (Single Page Applications), and PWA (Progressive Web Applications). There are different sub-types of the Web applications.

  • Server Side Web Applications - they run on backend application server and web pages are rendered on this server directly. They are implemented by frameworks as Spring MVC.
  • SPA (Single Page Applications) - java script applications running in the browser. Implemented by frameworks as Angular, Vue or React.

Native Mobile Applications

They are targeted to mobile platforms Android, iOS and they are coded in specific programming languages supported by respective platform. They have access to phone's devices and services, so they can provide great end user experience.

Desktop Applications

It is the fact that the Web and the Native Mobile application prevail these days, however they are still an option.

Application Integration with Centralized IAM

The integration depends on chosen application architecture and technology stack, but in general there are two integration styles, depending on where the integration code is located. So the integration can be Embedded into application, or Indirected (with Proxy for instance) to another component. If we speak about application integration, we are focusing on Authentication related functionality. The IAM solution is based on open standards OAuth2.0 and OpenID Connect, so the application client developers should follow these standards. There are OAuth2.0/OpenID Connect client libraries available for various platforms. Components as API Gateways or Web servers support integration via OAuth2.0/OpenID Connect plugins and they provides out of the box functionality.

Client Architectures overview

At a high-level the application architecture can include Frontend and Backend components.