This is a good question for general knowledge. The answer isn’t specific to React. I’ll try an explain several methods.
Given I am a user and I want to view my profile page, I must first login before I can view my profile.
First a very basic summary of authentication:
- Becoming Authenticated
As a user I send the browser my login credentials, the server validates my credentials and sends back some type of proof of authentication. This proof of authentication is stored on the browser and sent to the server in subsequent requests as proof of being authenticated.
- Validating Authentication
There are two parts to validating authentication. The browser must send some proof of authentication to the server (typically in a cookie) and the server must validate this proof and not blindly accept it as true.
Sever Side Sessions
A simple login mechanism is server side sessions, with this method the server keeps a cache of users who have authenticated. Whenever a request comes in the server will check the cookie (which is automatically sent to the server by the browser and is typically where the proof of being authenticated is stored) and the servers cache (to validate the data from the cookie). If the user is authenticated the server will allow them to see content that would otherwise be hidden such as the users profile page.
A limitation of this method is that the cache is stored on a single server. If there is a lot of traffic the server will struggle to handle all of the requests, slow down, and possibly crash. The only way to improve the servers performance is to upgrade physical components like RAM and CPU. This is called vertical scaling. This is in contrast to horizontal scaling which involves adding more servers to help share the load. If you tried to combine server side sessions with horizontal scaling a user may login on server #1, but the next request may be handled by server #2, that they haven’t logged into. When that happens server #2 would ask the user to login again. As you can see, that would be a very bad experience for users.
Database Authentication (I can’t remember if there is a better name for this method)
Storing the users authentication data in a database is one way to overcome the limitations of server side sessions. In this scenario a user will login on server #1 and server #1 will store the authentication in the database. Now a subsequent request may be handled by server #2. Server #2 will check the database to see if the user is logged in and find the data that was stored by server #1. So now the application may be scaled horizontally as well as vertically. However, the bottleneck for scalability is now the authentication database since every server must query it for authentication.
JWT(Jason Web Tokens)
A JWT is a string of characters like this
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c It contains all of the information that a server needs to authenticate a user. This makes a JWT stateless since the state of being logged in is stored in the token itself and not on the server or in a database. Whenever a user authenticates the server sends the browser the JWT, the browser will store this token and send it in all subsequent request to the server as proof of being authenticated (again, a cookie is commonly used for this purpose). Now whenever an application needs to scale horizontally it’s not dependent on looking up login information in a database it can simply validate the JWT and then allow the user to see his profile page.
OAuth is an authentication protocol built around using JWT for authentication. Auth0 is a company/service that handles the implementation details of authentication for you. As you can see on the company website they offer Single Sign On, Multi-Factor Authentication and more.
I recommend that you spend some time learning more about JWT. However, in most scenarios you won’t be required to implement authentication yourself. You’ll just need a basic understand of how it works and the tradeoffs between various methods. You’ll also need to understand the security risks and how authentication can be compromised.
I’ve been meaning to blog about this topic. So thanks for getting me started