7 Authentication Concepts
Know Authentication Concepts — Diagram Flows
Diagram Flows
01 · Password Auth & Hashing
User Browser Server Database
│ │ │ │
│─ Enter pw ────▶│ │ │
│ │─ POST /login ▶│ │
│ │ │─ Lookup user ▶│
│ │ │◀─ Return hash ─│
│ │ │ bcrypt.compare()
│ │◀─ Set token ──│ │
│◀─ Access OK ───│ │ │
⚠️ Password is never stored in plaintext. bcrypt adds a random salt automatically.
Tune the cost factor to control how slow (and brute-force-resistant) the hash is.
02 · JSON Web Tokens (JWT)
Client Auth Server API Server
│ │ │
│─ POST credentials ───▶│ │
│◀─ JWT (signed) ───────│ │
│ │ │
│─ GET /data ───────────────────────────────▶│
│ Authorization: Bearer <token> │
│ │ verify signature │
│◀─ 200 OK + data ──────────────────────────│
Header.Payload.Signature — no DB lookup needed to verify.
Use short-lived access tokens (15 min) + longer-lived refresh tokens stored server-side.
03 · OAuth 2.0 (Authorization Code + PKCE)
User Your App Auth Server Resource Server
│ │ (Google/GitHub) │
│─ Click SSO ──▶│ │ │
│ │─ Redirect + code_challenge (PKCE) ───▶│
│ │ │ │
│◀──────────────────── Consent screen ─────────────────│
│─ Approve ─────────────────────▶│ │
│ │◀─ Auth code ───│ │
│ │─ Code + verifier ──▶│ │
│ │◀─ Access token ─────│ │
│ │─ Bearer token ────────────────────────▶│
│ │◀─ User data ──────────────────────────│
PKCE prevents auth code interception. Your app never sees the user's password.
Scopes limit exactly what data is shared.
04 · Multi-Factor Auth (TOTP)
User App Auth Service TOTP Validator
│ │ │ │
│─ Username + password ──────────▶│ │
│ │◀─ ✓ pw OK, need 2FA ───────────────│
│◀─ Prompt 6-digit code ─────────│ │
│─ Enter TOTP ──▶│ │ │
│ │─ Verify code ──────────────────────▶│
│ │ │ secret + timestamp│
│ │◀─ ✓ Valid window → grant session ───│
TOTP codes are valid for ~30-second windows.
SMS is weaker (SIM-swapping). Hardware keys (WebAuthn/FIDO2) are the strongest 2nd factor.
05 · Session Management
Browser Server Session Store (Redis)
│ │ │
│─ POST /login ────────▶│ │
│ │─ Save { userId, roles } ─▶│
│ │◀─ sessionId = abc123 ─────│
│◀─ Set-Cookie: sid=abc123; HttpOnly; Secure; SameSite=Strict
│ │ │
│─ GET /dashboard ─────▶│ (cookie auto-sent) │
│ │─ Lookup sessionId ─────▶│
│ │◀─ Session data ─────────│
│◀─ 200 OK + page ──────│ │
HttpOnly blocks JS from reading the cookie.
SameSite=Strict prevents CSRF. Always rotate session ID after login.
06 · Role-Based Access Control (RBAC)
User Auth Middleware RBAC Engine Resource
│ │ │ │
│─ DELETE /posts/42 ────────────────▶│ │
│ │─ user.roles vs delete:posts ────────▶│
│ │◀─ role=editor → has permission ✓ ───│
│ │─ Forward request ────────────────────▶│
│ │◀─ Also check: owns post? (ownership) ─│
│◀─ 200 OK / 403 Forbidden ─────────│ │
Roles are assigned to users; permissions are assigned to roles — never directly to users.
Always check authorization at the resource level, not just the route level.
07 · Rate Limiting & Brute Force Defense
Attacker Rate Limiter (Edge) Auth Server Anomaly Detector
│ │ │ │
│─ 1000 login attempts/min ──────────────▶│ │
│◀─ 429 Too Many Requests (after 5 fails) ─│ │
│ │─ Log suspicious IP ───────────────────▶│
│ │◀─ Block IP / trigger CAPTCHA ──────────│
│ │ │ │
│ (legitimate traffic only) │ │
│─ Login attempt ─────▶│─ Pass through ────▶│ │
Apply limits per-IP and per-account.
Use exponential backoff with jitter. Alert on distributed attacks (many IPs, same target).
Summary
| # | Concept | Key Principle |
|---|---|---|
| 01 | Password Hashing | bcrypt/Argon2 with salt — never plaintext |
| 02 | JWT | Stateless, signed tokens — verify without DB |
| 03 | OAuth 2.0 | Delegated auth — PKCE + auth code flow |
| 04 | MFA / TOTP | Time-based second factor — hardware keys best |
| 05 | Sessions | HttpOnly + Secure + SameSite cookies |
| 06 | RBAC | Roles → Permissions → Resources |
| 07 | Rate Limiting | Throttle per-IP + per-account + alerting |
