<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-GB">
	<id>https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Modern_Authentication_Architecture</id>
	<title>Modern Authentication Architecture - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Modern_Authentication_Architecture"/>
	<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Modern_Authentication_Architecture&amp;action=history"/>
	<updated>2026-07-11T12:52:01Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.0</generator>
	<entry>
		<id>https://knowledgebase.pirho.net/index.php?title=Modern_Authentication_Architecture&amp;diff=392&amp;oldid=prev</id>
		<title>Dex: Created page with &quot;= Modern Authentication Architecture =  &#039;&#039;&#039;Summary:&#039;&#039;&#039; Modern authentication systems often appear complex because multiple concerns are blurred together: authentication, authorization, session continuity, revocation, and user experience. This article separates those responsibilities, explains the role of OAuth, OpenID Connect (OIDC), SAML, WebAuthn, and non-HTTP mechanisms, and describes practical approaches to sessions and revocation suitable for a reusable authenticati...&quot;</title>
		<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Modern_Authentication_Architecture&amp;diff=392&amp;oldid=prev"/>
		<updated>2026-04-19T17:25:24Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;= Modern Authentication Architecture =  &amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Modern authentication systems often appear complex because multiple concerns are blurred together: authentication, authorization, session continuity, revocation, and user experience. This article separates those responsibilities, explains the role of OAuth, OpenID Connect (OIDC), SAML, WebAuthn, and non-HTTP mechanisms, and describes practical approaches to sessions and revocation suitable for a reusable authenticati...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;= Modern Authentication Architecture =&lt;br /&gt;
&lt;br /&gt;
&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Modern authentication systems often appear complex because multiple concerns are blurred together: authentication, authorization, session continuity, revocation, and user experience.&lt;br /&gt;
This article separates those responsibilities, explains the role of OAuth, OpenID Connect (OIDC), SAML, WebAuthn, and non-HTTP mechanisms, and describes practical approaches to sessions and revocation suitable for a reusable authentication core such as &amp;#039;&amp;#039;&amp;#039;AuthEngine&amp;#039;&amp;#039;&amp;#039;.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
Authentication is not a web invention. Long before HTTP, systems authenticated users, devices, and services using directories, tickets, and possession of cryptographic material.&lt;br /&gt;
&lt;br /&gt;
What has changed is scale, client diversity, token lifetime, threat models, and the need for horizontal scalability. Most confusion arises when these concerns are treated as one problem instead of several smaller ones.&lt;br /&gt;
&lt;br /&gt;
== Core Responsibility Boundaries ==&lt;br /&gt;
&lt;br /&gt;
=== Authentication ===&lt;br /&gt;
Authentication answers the question: &amp;#039;&amp;#039;Who are you?&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
An authentication mechanism evaluates credentials, proves identity, and produces an authentication event.&lt;br /&gt;
Examples include passwords with MFA, WebAuthn, SAML assertions, Kerberos tickets, LDAP binds, and mTLS client certificates.&lt;br /&gt;
&lt;br /&gt;
Authentication produces proof, not continuity.&lt;br /&gt;
&lt;br /&gt;
=== Authorization ===&lt;br /&gt;
Authorization answers the question: &amp;#039;&amp;#039;What are you allowed to do?&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Authorization evaluates policy, applies scopes or entitlements, and makes permit or deny decisions. These decisions are typically expressed as signed artefacts.&lt;br /&gt;
&lt;br /&gt;
=== Session / Continuity ===&lt;br /&gt;
Sessions answer the question: &amp;#039;&amp;#039;Are you still trusted over time?&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Sessions belong to applications or platforms. They are not defined by OAuth, OIDC, or SAML.&lt;br /&gt;
&lt;br /&gt;
=== Revocation ===&lt;br /&gt;
Revocation defines when trust stops before natural expiry.&lt;br /&gt;
&lt;br /&gt;
== Tokens Are Assertions, Not Sessions ==&lt;br /&gt;
OAuth and OIDC tokens are frequently misused as sessions.&lt;br /&gt;
&lt;br /&gt;
Tokens are signed, time-limited assertions. They prove something was true at time T, not that it is still true now.&lt;br /&gt;
&lt;br /&gt;
== OAuth, OIDC, and SAML ==&lt;br /&gt;
&lt;br /&gt;
=== OAuth 2.0 ===&lt;br /&gt;
OAuth is an authorization framework. It issues access and refresh tokens and does not define login.&lt;br /&gt;
&lt;br /&gt;
=== OpenID Connect (OIDC) ===&lt;br /&gt;
OIDC is an authentication layer on top of OAuth and introduces the ID Token for client-side authentication.&lt;br /&gt;
&lt;br /&gt;
=== SAML ===&lt;br /&gt;
SAML is an authentication assertion protocol, still widely used in enterprise environments. SAML assertions are conceptually equivalent to OIDC ID Tokens.&lt;br /&gt;
&lt;br /&gt;
== Token Types and Audiences ==&lt;br /&gt;
&lt;br /&gt;
=== Access Tokens ===&lt;br /&gt;
* Audience: APIs&lt;br /&gt;
* Purpose: Authorization&lt;br /&gt;
* Contents: Scopes and permissions&lt;br /&gt;
&lt;br /&gt;
=== ID Tokens ===&lt;br /&gt;
* Audience: Applications&lt;br /&gt;
* Purpose: Authentication proof&lt;br /&gt;
* Not suitable for APIs&lt;br /&gt;
&lt;br /&gt;
=== Refresh Tokens ===&lt;br /&gt;
* Audience: Authorization server&lt;br /&gt;
* Purpose: Obtain new access tokens&lt;br /&gt;
&lt;br /&gt;
== Stateless and Stateful Continuity ==&lt;br /&gt;
&lt;br /&gt;
=== Stateless Continuity ===&lt;br /&gt;
Stateless continuity relies on short-lived tokens, offering horizontal scalability and simple validation, but logout becomes eventual.&lt;br /&gt;
&lt;br /&gt;
=== Stateful Continuity ===&lt;br /&gt;
Stateful continuity introduces minimal shared state such as Redis or databases to allow immediate revocation and strong logout semantics.&lt;br /&gt;
&lt;br /&gt;
== Revocation: Why There Are No Token CRLs ==&lt;br /&gt;
PKI revokes artefacts such as certificates. OAuth systems revoke authority continuity. Tokens are short-lived and disposable by design, making CRL-style revocation impractical.&lt;br /&gt;
&lt;br /&gt;
== Effective Revocation Patterns ==&lt;br /&gt;
&lt;br /&gt;
=== Refresh Token Families ===&lt;br /&gt;
Each login creates a refresh token family. Revoking the family ends the session.&lt;br /&gt;
&lt;br /&gt;
=== Epoch / Generation Numbers ===&lt;br /&gt;
Tokens include a generation number which can be invalidated by incrementing the authoritative version.&lt;br /&gt;
&lt;br /&gt;
=== last_invalid_before ===&lt;br /&gt;
A single timestamp invalidates all tokens issued before a given moment.&lt;br /&gt;
&lt;br /&gt;
== Authentication Mechanisms Beyond HTTP ==&lt;br /&gt;
Authentication can occur via non-HTTP mechanisms such as LDAP, Kerberos, RADIUS, TACACS+, mTLS, PAM, and GSSAPI. AuthEngine consumes authentication events, not protocols.&lt;br /&gt;
&lt;br /&gt;
== WebAuthn ==&lt;br /&gt;
WebAuthn provides phishing-resistant authentication but does not provide authorization, sessions, or tokens. Tokens are still issued after successful authentication.&lt;br /&gt;
&lt;br /&gt;
== JavaScript and Authentication ==&lt;br /&gt;
AuthEngine does not depend on JavaScript. JavaScript enables smooth client-side experiences but is not required for security or correctness.&lt;br /&gt;
&lt;br /&gt;
== The Role of AuthEngine ==&lt;br /&gt;
AuthEngine authenticates requests, authorizes actions, issues and validates tokens, enforces revocation, and returns accurate response codes. UX decisions remain at the application layer.&lt;br /&gt;
&lt;br /&gt;
== Key Insight ==&lt;br /&gt;
&amp;#039;&amp;#039;Stability lives in rules, not artefacts.&amp;#039;&amp;#039;&lt;br /&gt;
&lt;br /&gt;
Token shapes change frequently. Systems remain stable by adjusting acceptance rules rather than chasing individual artefacts.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
* [[OAuth 2.0 Access Tokens]]&lt;br /&gt;
* [[OpenID Connect ID Tokens]]&lt;br /&gt;
* [[Session Management Patterns]]&lt;br /&gt;
* [[Token Revocation Strategies]]&lt;br /&gt;
* [[WebAuthn]]&lt;br /&gt;
* [[Mutual TLS]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
* RFC 6749 – OAuth 2.0&lt;br /&gt;
* OpenID Connect Core 1.0&lt;br /&gt;
* RFC 4120 – Kerberos&lt;br /&gt;
* W3C Web Authentication&lt;/div&gt;</summary>
		<author><name>Dex</name></author>
	</entry>
</feed>