Other approaches that do not directly include credentials in the client invocations will fetch security tokens first and issue the actual communication with the token being provided afterwards. This goes in the direction of decentralized security.

In order to decouple security from the application, enterprise systems can include identity providers as a central point for authentication or authorization, respectively. This delegates the security concerns from the application to a provider.

The identity providers authorize third parties, such as enterprise applications, without directly exchanging the credentials with them. The end users are redirected to the identity providers and don't hand the secure information to the enterprise application. Third-parties only receive the information when the access has been permitted, contained in tokens that they can verify.

This three-way authentication avoids concerning the enterprise application with security responsibilities. The responsibility to verify whether the information that the user provides was correct moves to the identity provider.

One example of this method is single sign on (SSO) mechanisms. They're used quite often in bigger companies to require users to authenticate only once and reuse the information in all services that are secured by an SSO. The SSO system authenticates the user and provides the required user information to the corresponding applications. Users just need to log in once.

Another approach is to use decentralized access delegation protocols, such as OAuth, OpenID, and OpenID Connect. They represent three-way security workflows to exchange security information between clients, third-party applications, and the identity provider. The idea is similar to single sign on mechanisms. However, these protocols enable users to decide which individual application will receive the user's information. The applications receive user access tokens, for example, in the form of JSON Web Tokens, that are validated via the identity provider, instead of the actual credentials.

The decentralized access delegation protocols and their implementation are beyond the scope of this book. The responsibility for enterprise systems is to intercept and redirect the user authentication to the identity provider. Depending on the system architecture, this is the responsibility of a proxy server or the application itself.

There are open source solutions out there that implement decentralized security. An interesting technology is Keycloak which is an Identity and Access Management solution. It ships with various client adapters and supports standard protocols, such as OAuth or OpenID Connect, what makes it easy to secure applications and services.