ADR-0030: Use a managed authentication provider
Status
Accepted
Outcome
Secure login, MFA, password reset, and OAuth for enterprise without competing with product work or risking subtle security mistakes.
Decision
Adopt a managed authentication provider for interactive login and token issuance. App services validate access tokens. Legal reviews data residency and subprocessors before locking a vendor contract.
Primary tradeoff
We accept vendor cost, less flexibility for exotic flows, and subprocessors in compliance scope in exchange for faster path to secure defaults.
Why
- The team is small and cannot fund a full in-house auth surface
- In-house auth competes with product work
- MFA and OAuth are table stakes and risky to build wrong
Decision boundaries
Impacted:
- Interactive login and token issuance
- Token validation library standardization
- Compliance scope (subprocessors, data residency)
Not impacted:
- Service-to-service identity (follow-up ADR)
- Application authorization logic
- Key rotation (remains internal responsibility)
Assumptions:
- A managed provider meets residency and subprocessor requirements
- Legal signs off before contract lock
Guardrails:
- DPO/legal must approve vendor terms before production use
- Token validation remains in app code (not vendor-opaque)
- Incident response split with vendor is documented
- Follow-up ADR covers service-to-service auth