Archived

Enterprise Authentication Platform

Tech Lead · 2022 · 2 min read

Built a centralized auth platform serving 12 applications with SSO, reducing login friction by 70%

Overview

Designed and led development of a unified authentication platform to replace fragmented auth systems across multiple internal and customer-facing applications

Problem

Each application had its own authentication implementation, leading to inconsistent security practices, poor user experience (users had to log in separately to each app), and significant maintenance overhead across teams.

Constraints

  • Must support existing LDAP directory for enterprise users
  • OAuth2/OIDC compliance required for third-party integrations
  • Cannot disrupt existing user sessions during migration
  • Must meet SOC 2 compliance requirements

Approach

Built a centralized identity provider using industry standards (OAuth2, OIDC, SAML). Implemented a phased migration strategy where applications could adopt the new auth system incrementally while maintaining backward compatibility with legacy auth.

Key Decisions

Build custom identity provider instead of using Auth0 or Okta

Reasoning:

Our specific requirements around LDAP integration, custom MFA flows, and data residency made commercial solutions either too expensive or too limiting. Building in-house gave us full control.

Alternatives considered:
  • Auth0 with custom rules
  • Okta with LDAP connector
  • Keycloak self-hosted

Use refresh token rotation with short-lived access tokens

Reasoning:

Limits the blast radius of token theft while maintaining good UX. 15-minute access tokens with automatic refresh provides security without constant re-authentication.

Alternatives considered:
  • Long-lived access tokens with revocation
  • Session-based authentication

Implement passwordless authentication as primary option

Reasoning:

Reduces password-related support tickets and improves security. Magic links and WebAuthn provide better UX than traditional passwords.

Tech Stack

  • Go
  • PostgreSQL
  • Redis
  • LDAP
  • WebAuthn
  • Docker
  • AWS ECS

Result & Impact

  • 70% reduction (SSO eliminates repeated logins)
    Login Time
  • 85% reduction with passwordless
    Password Reset Tickets
  • 12 apps in 4 months
    Applications Integrated
  • Zero auth-related breaches
    Security Incidents

The platform has become the foundation for all new applications. Teams no longer need to implement auth from scratch, reducing time-to-market for new products. The passwordless option has been particularly popular with users.

Learnings

  • OAuth2/OIDC specs are complex—invest time in understanding them deeply before implementation
  • Migration is harder than building—plan for long coexistence periods
  • Passwordless adoption requires good fallback options for edge cases
  • Centralized auth is a critical path—invest heavily in reliability and monitoring

Technical Deep Dive

The most challenging aspect was supporting both modern OIDC flows and legacy SAML integrations for enterprise customers. We built an abstraction layer that normalized identity data regardless of the upstream protocol.

Token storage was another interesting problem. We used Redis for session data with PostgreSQL as the source of truth for user accounts. This gave us the performance we needed while maintaining durability.

Migration Strategy

We couldn’t force all applications to migrate at once. Instead, we built a compatibility layer that allowed legacy auth tokens to be exchanged for new tokens. This let teams migrate on their own schedule while users got immediate SSO benefits.

All projects