Authentication

What is Authentication? It is letting the thing communicating that you are who you claim to be. So what do you need to do that? For message you send it, you include in your message something from which it can tell it is you. Sometimes that is a token. From the token it checked with its databases or some internal service it has and know that only you can send it. So the server for each request authenticates somehow and knows who the user is. A user object is available in its execution context. Even if it a stateless thing, it checkes with some service and gets the id. User is identified by an ID. Sometimes this id need not be checked with a different service. If it is signed properly it will use the id. Here id is in a token. Id can also be in a session. What exactly is a session? One long communication with the server. Is it always one particular machine or not? Need not be. But session is managed by cookies. Using the cook, the state of the session is extracted by the web server. Session require state. But it can be in a different service. Like redis or standalone server. That’s all. That is how the server know who the current user is. Now we look at how to login in and log out. Logging in means updating this state of session or getting the correct cookie. There we need to provide something. Isername and password or biometrics or something sent from a device. Or combination of these. To login, we tell the service that logs us in we want to log in. Then we give it what it asks. It can ask different things. It can have multiple options. If the operation is successful it sets the session id to our cookie or give is a token. When we want to log out, we invalidate the key or clear login from session data. What is Oauth then? It is when it uses a different service to do the signing in. That service can log us in and give this service an id. It can then map it to its own id. It can keep mapping like this in many ways and hence can log us is different ways by finally resloving to one id.