Introduction to Web Authentication Demystified — From Concepts to Real-World
A practical introduction to modern authentication standards, flows, and the core ideas that power secure user login on the web.
Series: Web Authentication Demystified — From Concepts to Real-World
Next: What Is User Authentication? The Basics Explained
Web authentication is central to almost everything we build today, yet it remains one of the most misunderstood areas of modern development. The internet is filled with buzzwords — OAuth, OpenID Connect, JWT, sessions, tokens, PKCE — but it’s often unclear how these pieces fit together, when to use one flow over another, or how real systems implement authentication behind the scenes. This series aims to bridge that gap. We’ll start from the ground up, demystifying the building blocks of identity and login on the web, then move through the major authentication flows used across the industry, exploring their strengths, trade-offs, and ideal use cases. Once the foundations are solid, we’ll transition from theory to practice and walk through a complete real-world implementation that was done in 2021: the authentication system powering a production HumHub/Yii application integrated with an external Identity Provider, Redis-backed session management, and CloudFront-protected content delivery. By the end, you’ll understand not only how modern authentication works, but also why certain design choices matter in real applications — and how to make informed decisions for your own systems.
Disclaimer: Note that because this implementation was done in 2021, there may have been some new ways to implement this in current time.
🔷 Structure of the Series
Arc 1 — Foundations: general concepts, theory, industry standards, flows.
Arc 2 — Applied Implementation: my web app design, the architecture, the lessons learned.
🟦 ARC 1 — FOUNDATIONS OF USER AUTHENTICATION
Article 1 — What Is User Authentication? The Basics Explained
Goal: Introduce core concepts in simple language.
Key topics:
What “authentication” and “authorization” actually mean
Users, credentials, sessions, identity
Stateful vs stateless authentication (high-level)
Where authentication fits in a modern web architecture
Why authentication is hard (security, UX, scale)
Overview of industry standards (OAuth2, OIDC, SAML, JWT, Sessions)
Article 2 — Token Types Explained: ID Tokens, Access Tokens, Refresh Tokens, Opaque Tokens & JWTs
Goal: Build conceptual clarity about tokens.
Key topics:
What tokens are and why they exist
ID token vs Access token vs Refresh Token
Bearer tokens vs Proof-of-Possession
JWT structure (header, payload/claims, signature)
Claims:
sub,iss,aud,exp,nonce, etc.Opaque tokens and introspection
When you should or shouldn’t use JWT
Article 3 — Understanding OAuth2 & OpenID Connect (OIDC)
Goal: Explain the major identity protocols used today.
Key topics:
OAuth2: purpose, history, limitations
OIDC: What it adds on top of OAuth2
IdP vs OAuth vs OIDC (differences)
Standard endpoints (
authorize,token,jwks,userinfo)Where tokens come from and how they’re validated
Role of claims and scopes
Article 4 — Authentication Flows: Choosing the Right One
Goal: Explain all major flows and help developers know when to use which.
Flows to cover:
OAuth2 Authorization Code Flow
Authorization Code + PKCE
Implicit Flow (why it’s obsolete)
Client Credentials (service-to-service)
Device Code Flow
Resource Owner Password Flow (why it's bad)
Refresh Token Flow
Hybrid OIDC Flow (optional)
Sections:
Flow diagrams (simple)
Pros & cons of each
Real-world recommendations for web apps, SPAs, mobile, microservices
"Choosing a flow: a decision framework"
Article 5 — Sessions vs Token-Based Authentication
Goal: Bridge theory → practice.
Topics:
Stateful sessions (PHP session, Redis-backed session, server authority)
Stateless JWT-based authentication
Hybrid token-to-session strategies (like my implementation)
Cookie vs localStorage vs memory
Logout, revocation, rotation
Security implications of each
🟩 ARC 2 — APPLYING THE THEORY: MY REAL IMPLEMENTATION
Article 6 — Architecture Overview of the Web App Authentication System
Goal: Present my real system at a high level.
Topics:
System diagram explanation
Components: HumHub/Yii app, Redis, IdP, CloudFront, DB
How requests flow
What each part does
Why the system is hybrid (IdP + server session)
Strengths of this design
Where it deviates from textbook OIDC
Article 7 — Deep Dive: The User Authentication Flow in Web App
Goal: Walk step-by-step through the real login flow.
Topics:
Browser → Web App → IdP → callback
Access token returned from IdP
Token validation & identity mapping
Local user provisioning (
user_authtable)Creating PHP session stored in Redis
Setting session cookies
Generating CloudFront signed cookies
Error & edge cases: disabled users, missing mapping, invalid tokens
Why this hybrid approach works well for PHP systems
Article 8 — Security Analysis of the Web App Authentication System
Goal: Explain how secure it is, what threats were considered, and what best practices I applied.
Topics:
CSRF protection (state parameter)
Replay protection (nonce)
Token validation & signature checks
Session fixation prevention
Cookie security (
SameSite,HttpOnly,Secure)Short-lived CloudFront policies
Potential improvements (PKCE, ID tokens, token rotation, MTLS, etc.)
Logging, monitoring, audit trails
Article 9 — Lessons Learned & Practical Advice for Developers
Goal: Wrap up the series with real-world insights.
Topics:
Why real systems don’t match textbook examples
What went well in my implementation
What was tricky (session handling, provisioning, CDN cookies)
Advice for teams adding an external IdP to legacy or session-based systems
If I were to redesign it today, what would I change?
🔷 Optional Bonus Articles
➤ Implementing an OIDC Callback in PHP/Yii/HumHub (with code examples)
➤ CloudFront Signed Cookies — How They Work and Why We Used Them
➤ Redis as a Session Store for Scalable Web Architecture
➤ Comparing OAuth2, OIDC, and SAML with real examples
🔷 Summary of the Entire Series Structure
ARC 1 — FOUNDATIONS
Basics of Authentication
Tokens Explained
OAuth2 & OIDC Overview
The Authentication Flows
Sessions vs Token Auth
ARC 2 — MY IMPLEMENTATION
Web App Auth System Architecture Overview
Deep-Dive into the Web App Auth Flow
Security Review / Best Practices
Lessons Learned & Practical Guidance
