A lot of applications lack of a good authentication concept and implementation. Often, there is only a limited form of authentication options and those are often highly coupled into the application which makes it hard to maintain and easily adopt to customer requirements. There should be a clear distinction between application logic and authentication implementation and data. Furthermore often applications do not make use of a shared identity provides which makes it easy to impersonate calls between different services.
Modern applications or microservice architecture should rely on a trusted identity provider which decouples the authentication implementation from the services or applications. There should be a single trust from the application, so new federated identity providers or customer specific configurations do not affect the implementation or deployment of the services and applications.