With HTTP being a stateless protocol, following HTTP authentication means that the client has to be authenticated with its credentials for every request. For stateful applications, this becomes an issue, as the user will be prompted to log in for every action they perform. For example, once the user logs in via a shopping cart application, he/she may proceed with choosing the selected items and checking out until he/she is done with the shopping. To handle such scenarios, the legacy solution was to implement session-based authentication, which uses server sessions to maintain the authenticated state of a client.

In session-based authentication, after the authentication of the user, a session ID is created by the server and sent in the HTTP response using cookies, and the same is passed along with every subsequent request to the server. So, until the user logs out of the application or the session expires, the client can continue to use the application. The same is illustrated in the following diagram:

The preceding pattern may work well with monolithic applications but not for hybrid applications, wherein different functionalities in an application will be implemented as separate services and deployed in their own container. Modern single-page web applications or mobile applications will have to interact with multiple backend services hosted on different servers to fetch the data. For example, the user home page may have to display the weather forecast based on the location and a stock ticker based on the trading account held by the user. In this case, as the weather forecast and the stock ticker service may be hosted on different servers, sharing the session cookie will not be possible.

What is the solution for hybrid applications if the session-based authentication fails?  

Let me give a clue. Session-based authentication can be considered analogous to legacy lockers. Think about opening the main door of a house using keys and getting access to the house. In this case, anyone with the relevant keys for the main door lock can log in to the house. Hmm!

Digital transformation helps to address the aforementioned security concern. The solution is digitizing the legacy keys with electronic keys and the access grants customized specific to the user. For example, take the case of an employee ID card. Before issuing the employee ID card, the details are verified first and then the employee ID card is granted with access to an organization's common floor or a specific department and prohibited access to the other departments or secure data centers. Also the access granted is timebound and can be revoked when required. The best part of digital keys is that they can be used across multiple locations. JSON Web Token (JWT) is similar in concept to digital keys; it follows a token-based authentication approach. In token-based authentication, the user supplies the credentials to acquire a token with a predefined validity from the Auth Server, and the token can be used further to access the resources as per the claims of the user: