The process in which we verify the user is who they say they are. For instance, using a name and a secret phrase (a password) to verify that you are a user.
The act of verifying that a user a can do what they are trying to. Example, can godzilla@monster-fights.com request to schedule a new fight.
- based on sessions
- validated based on domains
- stateful
- temporarily valid string based on public/private key
- decoupled from domains
- stateless
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet.