Introduction & History

Basic Auth

Session Based Authentication

Token Based Authentication

In this authentication mechanism, the client will make the first request to log in user, where it provides the credentials to the server.

• The server will check if the credentials are correct or not.
• If they are, the server will create and sign a token with its secret or private key, then sends back a 200 OK response to the client together with the signed access token.
• The reason it’s called access token is that later the client will use this token to get access to other resources on the server by embedding the token in the header with each request.
• Upon receiving the request, the server will verify if the provided token is valid or not. If it is valid, the request will be authorized, and a 200 OK response will be sent back to the client.

<aside> 💡 An access token normally has a lifetime duration before it gets expired. And during this time, the client can use the same token to send multiple requests to the server.

</aside>

Nowadays, token-based authentication has become more and more popular in the development of web and mobile applications.

There are many different types of tokens like JWT, Paseto etc.

JOSE

JOSE stands for JSON Object Signing and Encryption. It's a set of standards used to sign and encrypt data using JSON-based data structures.

JWA, JWE, JWK, JWS, and JWT are all part of JOSE.

https://stackoverflow.com/questions/74257560/what-is-the-difference-between-jose-jwa-jwe-jwk-jws-and-jwt

JWT

It is a base64 encoded string, composed of 3 main parts, separated by a dot.

The first part is the header of the token. When we decode this part, we will get a JSON object that contains the token type JWT, and the algorithm used to sign the token: eg. HS256.