Session, cookie, JWT, token, SSO, and OAuth 2.0 - what are they?

These terms are all related to user identity management. When you log into a website, you declare who you are (identification). Your identity is verified (authentication), and you are granted the necessary permissions (authorization). Many solutions have been proposed in the past, and the list keeps growing.

这些术语都与用户身份管理有关。当你登录一个网站时,你声明你是谁(识别)。你的身份被验证(认证),并且你被授予必要的权限(授权)。过去已经提出了许多解决方案,并且这个列表不断在增加。

From simple to complex, here is my understanding of user identity management:

从简单到复杂,以下是我对用户身份管理的理解:

  • WWW-Authenticate is the most basic method. You are asked for the username and password by the browser. As a result of the inability to control the login life cycle, it is seldom used today.

    WWW-Authenticate 是最基本的方法。浏览器会要求你输入用户名和密码。由于无法控制登录生命周期,如今很少使用。

  • A finer control over the login life cycle is session-cookie. The server maintains session storage, and the browser keeps the ID of the session. A cookie usually only works with browsers and is not mobile app friendly.

    对登录生命周期有更精细控制的是会话-Cookie。服务器维护会话存储,浏览器保留会话的ID。Cookie 通常只与浏览器一起工作,并且对移动应用程序不友好。

  • To address the compatibility issue, the token can be used. The client sends the token to the server, and the server validates the token. The downside is that the token needs to be encrypted and decrypted, which may be time-consuming.

    为了解决兼容性问题,可以使用令牌。客户端向服务器发送令牌,服务器验证令牌。缺点是令牌需要加密和解密,这可能会耗费时间。

  • JWT is a standard way of representing tokens. This information can be verified and trusted because it is digitally signed. Since JWT contains the signature, there is no need to save session information on the server side.

    JWT 是表示令牌的标准方式。这些信息可以被验证和信任,因为它是经过数字签名的。由于 JWT 包含签名,因此无需在服务器端保存会话信息。

  • By using SSO (single sign-on), you can sign on only once and log in to multiple websites. It uses CAS (central authentication service) to maintain cross-site information

    通过使用 SSO(单点登录),你只需登录一次即可登录多个网站。它使用 CAS(中央认证服务)来维护跨网站的信息。

  • By using OAuth 2.0, you can authorize one website to access your information on another website

    通过使用 OAuth 2.0,你可以授权一个网站访问你在另一个网站上的信息。