I was lucky enough to work both at Janrain when the social login and consumer identity terms were being pioneered, and at Acquia when content management strategies had matured into creating great personalized experiences for users. However, the days of needing to pick between a great identity or great content strategy are over - now you need both. But IT departments, who are often tasked with solving specific challenges in this regard, don’t have a lot of guidance as to how to implement a Customer Identity and Access Management (CIAM) solution that still meets CMS flexibility needs. This guide is an overview of what to consider when creating secure and frictionless yet scalable identity authentication and authorization solutions using Drupal. I’ll also let you in on a little secret, most of these tactics can be used across the board in other platforms like Wordpress, Joomla, Magento, etc.
A term that I’ll use below:
OpenID Connect (OIDC) - open source protocol for authentication where a user is redirected to a centralized login/registration experience
I’ll keep this part short - here is a video I created that outlines the differences - CIAM vs IAM - 5 key differences and some important things to know. It's a good place to start to get some preliminary knowledge on what will work best for you.
Depending on your specific scenario, just plugging in an Identity Provider (IDP) solution isn’t going to cut it. You are using Drupal because it offers the greatest flexibility in terms of design, content strategy, branding, multi-brand, translations, etc. So you need to ensure that the solution you are implementing can offer those same principles. Adding ‘login and registration’ is such an easy plugin these days, that it is easy to overlook what is lying just under the service. Here are some considerations with your CIAM solution:
Just like with Drupal, there are two concepts for CIAM when it comes to user experience: API or Hosted. The industry best practice is to use OIDC which has a LOT of benefits:
There is a bit of a misunderstanding when it comes to the flexibility of OIDC. Often people think that if the user is being redirected to a centralized location for login, then that will not only cause a bad user experience, but the app doesn’t have control over the configuration plus look and feel of the centralized location. Plus mobile app redirects are not great. Both of these assumptions are not correct so long as you have the right CIAM solution.
OIDC is ideal for Drupal since it allows the consumer complexity to site external to the Drupal site and database. You can manage authN and authZ elsewhere, while still give that site the information it needs about that user when it needs it. This seems to be an up to date and flexible free module: https://www.drupal.org/project/oidc
Next Identity makes the flexibility of the hosted screen limitless in terms of flows, configs, translation, branding, and much more. Mobile apps who implement Next Identity will not even feel like a user redirect giving them a great and secure experience.
So based on your scenario, using OIDC is a great and secure option. However, there may be a need to build screens or portions of screens directly within the app. In that case, you would be looking for a full set of APIs in order to build a more headless version of your identity solution. Most identity solutions have some kind of API set. Most these days have steered away from what is called the ‘Password Grant’ flow, which is essentially a /login and /register endpoint for direct integration. For good reason - but worth noting that Next Identity API supports the Password Grant flow :)
Do you need to manage identity or orchestrate them? Well, it's pretty easy to plug in a login and registration solution - Drupal even has that out of the box. However, some sites/apps may already have an existing provider and you don’t want to migrate the full solution. OR, and even more common, different sites/apps need to maintain a different set of users. In other words, users can’t be shared across properties since they are considered completely different. However, you still want to have a high-level view of each user in order to provide better services. This is where Identity Orchestration comes in. A good CIAM platform will not only offer you great login and registration capabilities, but will support other providers so that you can orchestrate a user who is authenticating in one place and remove friction for them to federate into other sites (as an example).
The last example I’ll give (and mentioned above) is the ability to hook into the user flows and perform external processes. This might be keeping a CRM in sync, performing some kind of user lookup, alerting a downstream system of an event, etc. Being able to orchestrate is key.
There are many considerations when you are choosing to implement a CIAM solution on your Drupal site. The best and easiest advice I can give is to educate yourself a little on the power of consumer identity, document the use-cases you need to support, then figure out how to make an OIDC flow work for your scenarios. But of course these things are rarely straightforward.
Don’t hesitate to reach out if you need someone to bounce ideas off of - I’d be happy to have an exploratory conversation to see how I can help. Of course, Next Reason also offers a full set of CIAM services along with our Next Identity platform. So if you want us to come to assess your situation and provide some reports, we’d be happy to.
Thanks for reading!