Mastering Authentication & Authorization: From Basic Auth to JWT and RBAC

This article is a beginner-friendly overview of authentication and authorization, the first step in backend software development.

Common Authentication Mechanisms

Basic Auth: Sends username and password in the HTTP Authorization header on every request; insecure and rarely used today.

Cookie‑Session: Server‑side session storage consumes resources, cannot be shared across clusters, does not work on mobile platforms that lack cookie support.

Authorization Code Flow: The OAuth approach for social and mobile platforms; enables third‑party login without exposing passwords but requires an authorization code to obtain a token.

Token Auth: Similar to cookies but uses a token string; efficient, immune to CSRF, works in distributed environments, often combined with JWT for a complete solution.

Auth2.0 Authorization Protocol Process

The OAuth2.0 protocol defines the following steps (it is a specification only, not an implementation):

Client requests authorization from the resource owner and waits for user consent.

After consent, the third‑party server (e.g., WeChat) issues an authorization code to the client.

Client exchanges the authorization code for an access token and a refresh token from the authentication server.

Authentication server validates the request and returns the tokens.

Client uses the access token to request resources from the resource server.

Resource server validates the token and returns the requested data.

What Types of Tokens Exist?

Access token

Refresh token

Authorization code

Bearer token

What Is the Purpose of a Refresh Token?

When an access token expires, a refresh token can be sent to the authorization server to obtain a new access token without requiring the user to re‑authorize.

JWT Token Authentication Scheme

JSON Web Token (JWT) is a token‑based authentication protocol widely used in front‑end/back‑end separated distributed projects. It consists of three parts: header, payload, and signature.

Issues with JWT:

Once issued, a JWT remains valid for its entire lifetime, and its contents can be decoded from the header and payload.

It is not controlled by the back end, making session management difficult.

Therefore, many implementations generate JWT tokens and store them in Redis on the server side.

Authorization Management Design (RBAC)

Role‑Based Access Control (RBAC) defines who can do what on which resource. It separates users, roles, and permissions: assign permissions to roles, then assign roles to users, and finally check whether a user has the required permission for an operation.