Quick Start
Authentication is the process of verifying that a user is who he or she claims to be. It answers the question Who is the user?.
Example: a user enters their login credentials to connect to the application.
Authorization, also known as Access Control, is the process of determining what an authenticated user is allowed to do. It answers the question Does the user has the right to do what they ask?.
Example: a user tries to access the administrator page.
This document focuses on explaining how authentication works in B2B de Orbitas and gives several code examples to get started quickly. Further explanations are given in other pages of the documentation.
The Basics
The robustness of the authentication system in our B2B solutions has been meticulously planned and developed to meet the highest security standards. This comprehensive approach ensures that our authentication infrastructure not only meets but exceeds the requirements of the most stringent security tests. Our commitment to security guarantees the comprehensive protection of data and confidence in our enterprise solutions.
| Auth Support | |
|---|---|
| Kind of Application | API, B2B Access, Mobile+API |
| State management | Stateful (Session Tokens), Stateless (JSON Web Tokens) |
| Credentials | Passwords, Social |
| Token storage | Cookies, localStorage, Mobile, etc |
Whatever architecture you choose, the authentication process will always follow the same pattern.
Step 1: the user logs in.
In some architectures, this step might be delegated to an external service: Google, Auth0, etc
- Verify the credentials (email & password, username & password, social, etc).
- Generate a token (stateless or stateful).
- Return the token to the client (in a cookie, in the response body or in a header).
Step 2: once logged in, the user keeps being authenticated on subsequent requests.
- On each request, receive and check the token and retrieve the associated user if the token is valid.
Using JSON Web Tokens
When using stateless authentication with JWT, you must manage the renewal of tokens after their expiration yourself.