web authentication

  1. choose how user will authenticate
  1. Choose Sessions or jwt and refresh tokens to have user sessions.
  2. Persist sessionId or JWT in Cookies or LocalStorage.

libs for rolling out your own auth system:

using 3rd party auth services

Restoring session / State

to persist user data after site is closed and reopened, instead of storing user payload data in local storage (like I've done in past projects), Everytime user comes to website, make an API call (along with the user's cookie) and let server decide who the user is.
Pasted image 20240726130312.png
Pasted image 20240726130337.png
(remember we can't decode HttpOnly cookies in the browser)

id token vs access token

id token: OpenID Connect (OICD)
access token: OAuth2 auth protocol

id token identifies a user, generally used for authenticating. Knowing who the user is

access token authorizes an application to access resources or make actions on behalf of the user. For example: a microsoft access token gives the app permission to the users OneDrive or Microsoft Graph(API).

when a user logs in with Google using OAuth they generally have to consent to the specific resources the app asks for.

OpenId Connect is for granting id token that identifies the user. OpenId piggy backs on existing 3rd party auth servers to identify the user on our app. It is not interested on any 3rd party resource or access token.

OAuth2 is like giving an app a key, the key is useful but it doesn't tell the app who the user is or anything about him. OIDC is like giving the app a badge, the badge gives the client specific permissions but also providers basic info about the user.

id tokens must be JWT, access token can be any string but usually is in JWT format.

id-token-vs-access-token.jpg

some more in depth videos of how Oauth and OIDC work