Web Authentication and Authorization

Authentication answers the question "Are you who you claim to be?" and is resolved with credentials: username/password, tokens, biometrics or multiple factors. Authorization answers "Do you have permission to do this?" and is implemented with roles, permissions and access policies.

A system can have robust authentication but poor authorization, allowing an authenticated user to access resources they should not reach. Both layers must be designed and maintained with the same level of rigour.

The classic model: the server creates a session after verifying credentials, stores its state in memory or a database and sends an identifier (session ID) to the client in an httpOnly, secure cookie. Each subsequent request includes this cookie to identify the user.

Sessions work well for monolithic applications with a single server. Their main limitation appears in distributed architectures, where keeping session state synchronised across multiple servers requires solutions like Redis or sticky sessions.

JWT is a standard (RFC 7519) for transmitting verifiable claims between parties. A JWT contains a payload with user data encoded in Base64 and digitally signed. The server does not need to store state: it validates the signature and extracts information directly from the token.

JWT is popular in microservice architectures and SPAs, but it has important limitations: an issued token cannot be revoked without additional mechanisms (blacklists or short-lived tokens with refresh tokens). Storing JWT in localStorage is vulnerable to XSS; httpOnly cookies are more secure.

OAuth 2.0 is a delegated authorization protocol: it allows an application to access a user’s resources on another service without knowing their credentials. OpenID Connect (OIDC) extends OAuth 2.0 by adding a standardised authentication layer.

When a user clicks "Login with Google", they are using OAuth 2.0/OIDC. The application receives an access token to call the provider’s API and an ID token with the user’s identity data. Providers like Auth0, Okta and Firebase Authentication simplify implementation.

Role-Based Access Control (RBAC) assigns permissions to roles and roles to users. It is the most widespread model due to its simplicity and clarity. A user with the "editor" role can create and modify content but cannot manage users or system settings.

For applications with more granular requirements, Attribute-Based Access Control (ABAC) evaluates user, resource and context attributes to make access decisions. Models like PBAC (Policy-Based) combine complex rules. Tools like Casbin, OPA (Open Policy Agent) or AWS IAM enable the implementation of these models.

SSO allows users to authenticate once and access multiple applications without repeating the login process. It reduces friction, improves user experience and centralises identity management. SAML 2.0 and OpenID Connect are the most widely used protocols.

In enterprise environments, SSO integrates with corporate directories like Active Directory or LDAP. Solutions like Okta, Azure AD and Google Workspace offer SSO as a service with support for MFA, conditional policies and centralised auditing.

Passwords are the weakest link in the authentication chain: they get reused, forgotten and leaked. Passwordless authentication eliminates this vector using alternatives like magic links via email, physical security keys (FIDO2/WebAuthn) or passkeys synchronised across devices.

Apple, Google and Microsoft already support passkeys, facilitating mass adoption. For web applications, WebAuthn is the W3C standard that enables biometric authentication (fingerprint, Face ID) directly from the browser without passwords.