Modern Authentication // TheStatsDude's blog

I came across a series of videos about how authentication works on YouTube (https://www.youtube.com/watch?v=fbSVgC8nGz4; Mr. Stuart Kwan is just an amazing instructor!) which helped me become less ignorant of this field.

It appears that the modern web authentication requires the involvement of a third-party identity provider in addition to the browser (customer) and the website. The key advantage of this structure is that, when visiting multiple websites, instead of remembering different sets of names and passwords, the customer only needs to provide the same set of identity proof (e.g., name and password, smartcard, authenticator) to the same identity provider as long as this identity provider is trusted by all these websites. Under the pre-requisites that the website trusts the identity provider and the website knows the sign-in keys of the identity provider, a typical authentication process proceeds as follows

A sign-in request is sent from the browser to the website.
The website sends authentication request to the identity provider by using browser as an agent.
The customer needs to provide identity proof to the identity provider.
After the proof is verified, the identity provider sends token back to website through the browser.
Now the website can validate the token because the website knows the sign-in keys of the identity provider.

For subsequent calls from the same customer, the website might use the they put on the browser during the initial authentication process to reduce the hassle for going through the above process again.

Just to elaborate a bit on the (as I have seen this word for years but never know its meaning until today) - in layman’s word, HTTP cookies refers to a piece of information that the website wants the browser to always send back on every subsequent request. It appears that cookies is the key to define a session with the website, which also helps me understand the session a bit better, but apparently there is still a long way for me to go to build up a systematic knowledge of the whole thing. Nevertheless, I am one step closer to it.