Skip to content


Auth includes both Authentication ('authn') and Authorization ('authz').

Auth can be tricky because it touches all parts of the stack, including remote services that are only used for auth. Hang in there!

Authentication ('authn')

Who are you?

Associating a session with a person. (A 'user'.)

Authorization ('authz')

What can you do? Do you have permission to look at that?


A standard way of delegating authorization to a third-party.
OAuth 2.0 — OAuth

Diagram for describing the different flows:
OAuth2 Introduction Through Flow Diagrams in 5-minutes - Blog

A description based on Google APIs
The principles are the same for any other Oauth2 flow
OAuth 2.0 for Client-side Web Applications | Google Identity


Most web frameworks provide auth out of the box, or a way to integrate auth.

The exact system will vary from project to project and team to team.

The underlying concepts and core requirements stay the same.

The Auth system must run on a server operated by the service being protected. It will always be part of an API.


API == Application Programming Interface == server side == back end

Client == browser == ui == javascript

SSO == Single Sign On == Authentication Server

Process Overview

The process starts on the Client Side when the user requests to log in to start a new session.

Client redirects to login service with a return route for where you want the service to call your API so you can validate the token in the service system you provide.

'login' vs 'sign in' vs 'verify' vs 'user' vs 'person'


'sign up' vs 'register' vs 'new account'

TODO - path to client side login component


Initiates SSO requests by redirecting the browser to the centralized authentication server with a return service to call once the user authenticates.

The SSO server redirects the browser back to the calling service with a token. The return token is passed as a GET parameter on the url.

TODO - path to client side verification component (if different from login)


Then, the client passes the token it got back from SSO down to the API (to initiate the session).

[ Server request happens in here]

API processes the token, and then works with the UI client to show relevant data to the user who authenticated with authentication server.

The API also provides a JWT that gets passed back to the client.

The location the JWT gets stored is handled by logic on the client side.

TODO - JWT is currently stored in

Inspector -> Storage -> Local Storage

Inspector -> Storage -> Cookies

Removing the JWT will log out the session


Most auth systems assume you'll bring your own database.

When setting up a new system, it's a good time to include migrations.

user: {
  roles: []
user: {
  roles: []

Django has a well designed permission system.


Cypress Testing

Comparing Auth from Supabase, Firebase, Auth.js, Ory, Clerk and others

Solutions / Topics

A wealth of solutions available:
oauth2 · GitHub Topics
authentication · GitHub Topics
authorization · GitHub Topics
sso-authentication · GitHub Topics
saml · GitHub Topics
user-management · GitHub Topics · GitHub
users · GitHub Topics · GitHub
iam · GitHub Topics
identity · GitHub Topics



Leveraged by Supabase
supabase github at DuckDuckGo
supabase/gotrue: A JWT based API for managing users and issuing JWT tokens
supabase/gotrue-js: An isomorphic Javascript library for GoTrue.
supabase/docker-compose.yml at master · supabase/supabase · GitHub
supabase/.env.example at master · supabase/supabase · GitHub

supertokens github at DuckDuckGo
Repository search results · GitHub
supertokens server to server at DuckDuckGo
SuperTokens, Open Source Authentication
User Recipes | SuperTokens Docs
Introduction | SuperTokens Docs
Creating a JWT | SuperTokens Docs
Repository search results · GitHub

casbin/casbin: An authorization library that supports access control models like ACL, RBAC, ABAC in Golang
casbin server to server at DuckDuckGo


Ory looks like a great hardened solution. Given the importance of getting auth correct, I'd prefer to make use of a robust system.

A good overview:

Setting up Oauth2 provider with Ory:

Check for open ports

sudo ss -atuln | grep '9000\|9001\|9010\|9020'
sudo ss -atuln | grep '9000\|9001\|9010\|9020'

This looks like a well configured container setup for Ory modules
radekg/ory-reference-compose: Reference ORY Docker Compose setup
ORY reference Docker Compose and thoughts on the platform |
ory docker compose at DuckDuckGo
oauth2 ory at DuckDuckGo
ory/hydra-login-consent-node: This is an ExpressJS reference implementation for the ORY Hydra User Login and Consent interface written in TypeScript and ExpressJS.


Container ready SSO provider with 2 Factor Authentication (2FA). Works behind reverse-proxies.

One potential gotcha:

The only way Authelia can share information about the authenticated user currently is through the use of four HTTP headers: Remote-User, Remote-Name, Remote-Email and Remote-Groups. Those headers are returned by Authelia on requests to /api/verify and must be forwarded by the reverse proxy to the backends needing them.
Proxy Integration - Authelia

Should be easy enough to consume those headers as needed.

How to tie this in with an OAuth model?
authelia/authelia: The Single Sign-On Multi-Factor portal for web apps
authelia/docker-compose.yml at master · authelia/authelia
Authelia - Authentication server providing two-factor and SSO
Home - Authelia
Features - Authelia
Architecture - Authelia
Getting Started - Authelia
Deployment - Authelia
Deployment - Lite - Authelia
authelia integrate with API at DuckDuckGo
Architecture - Authelia
Session - Authelia
authelia get user from session cookie at DuckDuckGo
Authelia ? : selfhosted
Protect your application on kubernetes with authelia | by Pritish Payaningal | Medium
k8s/07_test_application_authelia.yaml at master · findpritish/k8s
findpritish/k8s: Kubernetes
Tim Hockin (@thockin) on Speaker Deck
k8s/authelia at master · findpritish/k8s
Session - Authelia
Session - Authelia
authelia get user from session cookie - Google Search


Seems to be a standard choice.
keycloak · GitHub Topics

Sounds big based on:
ORY reference Docker Compose and thoughts on the platform |

simov/grant: OAuth Proxy

A very popular library that could be applied in any number of Javascript API contexts.

Feathers uses this one under the hood.

goauthentik/authentik: The authentication glue you need.
jaredhanson/passport: Simple, unobtrusive authentication for Node.js.

Auth touches on many related topics


If a user requests a protected resource, first they'll need to authenticate with the system. It's always best when the system remembers where they were headed and redirects back once the auth process completes.

Make use of the client's local storage to remember where to return.

Redirects are processed / handled by ui/src/pages/login.vue

But where should they be initiated (e.g. added to the URL) On the API side when a token verification is made.


Sessions keep track of someone after they've logged in to the system.

JWT form the foundation for most authenticated sessions these days.

Cookies are another solution for browser based sessions.


Identity Access Management

Umbrella term for systems that manage permissions for organizations?

Home - OpenIAM - Open Source Identity Governance & Administration, Web Access Management, MFA and CIAM Platform
IAM vs LDAP at DuckDuckGo
Authentication vs. Federation vs. SSO | by Robert Broeckelmann | Medium
Difference between Active directory and Identity and Access managment - Stack Overflow