ADR Example: Managed authentication (IdP) vs in-house (Y-Statement format)

Software architecture decision example for end-user auth: when a small team accepts vendor coupling to ship MFA, OAuth, and recovery flows safely. The markdown below is identical in substance across formats; use the toggle to see how Nygard, MADR, Y-Statement, or an ISO-42010–inspired field list presents the same tradeoffs.

When this type of decision shows up

You need enterprise SSO and recovery flows and cannot fund a full in-house security team for auth surface area.
Compliance and legal need clear data residency, subprocessors, and incident responsibilities spelled out in contracts.
You will still own token validation, key rotation, and service-to-service identity in a follow-up ADR or platform guide.

Format

Preview

Y-Statement (structured decision record)

Sentence

In the context of product authentication and limited platform headcount, facing building and operating login, MFA, OAuth, and session security in-house, we have decided for a managed identity provider for interactive login and standard OAuth flows in order to ship secure login and compliance-friendly posture without owning the full auth surface, accepting that vendor cost, less exotic customization, subprocessors in our compliance pack.

Fields (same content, for reviews)

Context: product authentication and limited platform headcount
Concern: building and operating login, MFA, OAuth, and session security in-house
Stance / subject: for / a managed identity provider for interactive login and standard OAuth flows
Intended outcome: ship secure login and compliance-friendly posture without owning the full auth surface
Deliberate tradeoff: vendor cost, less exotic customization, subprocessors in our compliance pack