CIAM for the single application
One of the key ways that a CIAM server can help is to offer one place for your users to login across a suite of applications. You get one place to monitor and control access.
But does it make sense to use CIAM even if you only have one application?
Setting aside the fact that you often have more than one application as you integrate other SaaS products to support a single custom application (forums, account management, ticketing systems, etc), there is value in a CIAM system even if you only have one application.
The reason is that by using such a server, your app has login related functionality easily available via configuration. You can of course write most of this yourself, but it can be quite difficult or tedious to implement correctly.
Here are some examples:
WebAuthn/passkeys: A way for web applications to access non-password based forms of authentication. WebAuthn allows interacting directly with hardware enabled authentication methods such as FaceID or Windows Hello. The user interaction is well specified, but there are other complexities such as how to introduce the functionality (as an MFA method? for user registration? for re-authentication?).
Social login: Allowing users to use login with Google, Facebook or other social providers can improve conversion rates. While these interactions are generally stable, changes do occur. For most CIAM servers, offering more social providers is a matter of documented configuration rather than coding.
Magic links: An email or text is sent to a user and possession of an embedded one time code is the factor of authentication, seems deceptively simple to implement: generate a random string of characters, drop it in a database table, and send a message with the link. But there are some subtleties, such as dealing with pre-fetching of links in emails for anti-phishing security, ensuring the links expire in a timely fashion, and displaying to the end user when such an expiration will happen.
Even if you have only one application, outsourcing your auth to a CIAM system makes enabling and maintaining these features far easier.
Dan