Authentication

This portion covers authentication techniques

User access

Ensuring secure access and identity management.

JWT (JSON Web Token)

Full form: JSON Web Token
A compact, URL-safe means of representing claims to be transferred between two parties.
It allows for stateless authentication, meaning the server doesn't need to store session data in a database to verify the user.
NOTE: You can't truly do stateless. You must have a blacklist in memory for various reasons, like logged out users, compromised tokens, etc.

Session

A stateful, server-side storage mechanism where user data is kept in memory or a database, identified by a unique ID.
It offers maximum security and control; the server can instantly revoke access by deleting the session from its storage, which is harder to do with stateless JWTs.

SSO (Single Sign-On)

Full form: Single Sign-On
A session and user authentication service that permits a user to use one set of login credentials to access multiple applications.
It creates a seamless User Experience (UX) and reduces "password fatigue" while centralizing security management for an organization.
OAuth 2.0 is an industry-standard framework for authorization, allowing apps to securely access user data (on platforms like Google or Facebook) without needing user credentials. While not an authentication protocol itself, it authorizes actions via access tokens. It is often combined with OpenID Connect for authentication.

OAuth 2.0

Full form: Open Authorization 2.0
An industry-standard protocol for delegated authorization, allowing apps to access data on behalf of a user without seeing their password (e.g., "Login with Google").
It limits exposure; a third-party app only gets a scoped token to do specific tasks rather than having full access to your account.

OIDC (OpenID Connect)

Full form: OpenID Connect
An identity layer built on top of the OAuth 2.0 protocol that allows clients to verify the identity of the end-user.
It provides a standardized way to handle "Login"; while OAuth 2.0 is about delegating access (authorization), OIDC is about proving identity (authentication).

The Transport Layer

How do we save / handle the token or session id on the client side?

A method where the server uses a browser's cookie storage to automatically send and receive authentication data (either a Session ID or a JWT) with every request.
It is effortless for the developer because the browser handles sending the cookie automatically, and it can be made highly secure using the HttpOnly flag to prevent XSS attacks.

Token-Based Authentication (Bearer)

A method where the client manually attaches a token (usually a JWT) to the Authorization header of an HTTP request (e.g., Authorization: Bearer xxx).
It is built for mobile apps and cross-domain APIs where browsers might block cookies or where you aren't using a browser at all.
The token may be saved in different places depending on the application or device. KeyChain (iOS), Keystore (Android), Local storage (browser) or session storage (browser)

Token & Session Management

This section covers the mechanics of how you keep a user logged in and how you kick them out when necessary.

Access Token

A short-lived credential (often a JWT) used by the client to access protected resources.
It allows for fast, stateless verification without hitting the database for every single API request.
It's often paired with a refresh token

Refresh Token

A long-lived credential used solely to obtain a new access token (often a JWT) once the current one expires.
It balances security and UX by allowing users to stay logged in for days without keeping a highly sensitive access token active that entire time.

Refresh Token Rotation (Voucher Technique)

A security pattern where every time a refresh token is used, it is invalidated and replaced with a brand-new one.
It detects malicious reuse; if an attacker steals a token and uses it, the real user’s subsequent attempt will fail, alerting the system to revoke the entire session.

Session ID

Full form: Session Identifier
A unique string stored in a cookie that points to a specific data record on the server (in RAM or DB).
It provides instant revocation control; if a user’s account is compromised, the admin can delete the session server-side to log them out immediately.

Token Expiration (TTL)

Full form: Time To Live
A hard-coded timestamp within a token (the exp claim) that defines when it becomes invalid.
It limits the "window of opportunity" for an attacker if a token is intercepted.

Token Revocation / Blacklisting

The process of maintaining a list of "invalid" JWTs (usually in Redis) that haven't expired yet but should no longer be accepted.
It solves the main weakness of stateless JWTs, allowing you to log a user out or ban them before their token naturally expires.

Sliding Expiration

A technique where the expiration time of a session is extended every time the user makes a new request.
It keeps active users logged in indefinitely while automatically cleaning up and logging out inactive users after a period of idleness.

User access​

JWT (JSON Web Token)​

Session​

SSO (Single Sign-On)​

OAuth 2.0​

OIDC (OpenID Connect)​

The Transport Layer​

Cookie-Based Authentication​

Token-Based Authentication (Bearer)​

Token & Session Management​

Access Token​

Refresh Token​

Refresh Token Rotation (Voucher Technique)​

Session ID​

Token Expiration (TTL)​

Token Revocation / Blacklisting​

Sliding Expiration​