I'm a bit confused about the terminology surrounding authentication methods used in web applications. When people mention options like token-based or cookie-based authentication, and even OAuth 2.0 or OIDC, it seems like there's a lot of overlap and ambiguity. From what I understand, token and cookie-based methods come into play after a user has been initially authenticated, creating a session for a certain period. It doesn't seem right to say that OAuth is an alternative to cookies or JWTs since they serve different purposes. How should I interpret questions like "what type of authentication are you planning to use for your website?" Am I misunderstanding something here?
3 Answers
OAuth 2.0 is actually about authorization, not authentication. For example, if you sign in to a site using your Google account, you're giving permission via OAuth and then getting redirected back with a code. Your server uses that code to access your Google data, which confirms your identity but is part of the authorization process. After that, you'd typically create a session for the user using cookies or JWTs for ongoing authentication.
Many people tend to lump these concepts together even though they are distinct. Think of it this way: servers are a type of software, but we often refer to the physical machines they're on as servers too. It’s a simplification that blends these categories.
The way we define authentication can vary, especially across different tech stacks. In my field, we usually think of authentication as the process that verifies a user on each server request, whether that’s through cookies or JWTs. But when talking about signing in, we often refer to methods like SSO, magic links, or traditional passwords. It helps to clarify the context when discussing authentication to avoid confusion.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads