Apa mekanisme autentikasi umum (sessions, JWT, OAuth)?

Question

Accepted Answer

Aplikasi modern nggunakake macem-macem **mekanisme autentikasi** — berbasis session, berbasis token (JWT), lan autentikasi delegasi (OAuth/OpenID Connect). Mangerteni kepiye saben-saben bisa nggenah, lan trade-off-e, penting banget kanggo implementasi autentikasi sing aman.

## Autentikasi berbasis session

```text
SESSION-based (traditional):
  → user logs in → server creates a SESSION (stored server-side) → sends a session ID
    cookie → the browser sends it with each request → server looks up the session
  ✓ server controls sessions (easy to revoke); simple; cookie auto-sent
  ✗ stateful (server stores sessions); scaling needs shared session storage
```

## Berbasis token (JWT)

```text
JWT (JSON Web Token):
  → user logs in → server issues a SIGNED token containing claims (user id, etc.) →
    client stores it → sends it (usually in an Authorization header) per request →
    server VERIFIES the SIGNATURE (no server-side lookup needed)
  ✓ STATELESS (scales easily; no session store); works well for APIs/SPAs/mobile
  ✗ hard to REVOKE before expiry (it's self-contained) → use short expiry + refresh tokens
  ⚠️ store securely; don't put secrets in the (readable) payload; validate properly
```

## OAuth 2.0 / OpenID Connect

```text
OAUTH 2.0 → DELEGATED AUTHORIZATION ("Log in with Google/GitHub"):
  → let users authenticate via a third party without sharing their password with your app
  → your app gets a token to access permitted resources (scoped)
OPENID CONNECT (on top of OAuth) → adds AUTHENTICATION (identity) → standard for SSO/
  social login
→ delegate auth to trusted providers; users don't create another password.
```

## Apa dampake

Mangerteni mekanisme autentikasi umum penting banget jalaran **autentikasi iku asale paling aplikasi**, lan milih lan implementasi sing bener iku mempengaruhi keamanan lan arsitektur, dadi iku ilmu sing penting.

Mekanisme-mekanisme utama saben-saben duwe karekteristik lan trade-off. **Autentikasi berbasis session** (session server-side karo session-ID cookie) kasih kontrol server nang session (revokasi mudah) tapi stateful (butuh session storage sing dibagi supaya bisa scalable). **JWT (berbasis token)** autentikasi (token sing ditandatangani sing self-contained diverifikasi tanpa server lookup) iku **stateless** (scalable gampang, tansaya apik kanggo APIs, SPAs, lan mobile) tapi duwe trade-off sing nyata yaiktu **token-e susah direvokasi sadurunge expiry** (jalaran self-contained, butuh expiry cepet plus refresh tokens) lan kudu disimpen kanthi aman tanpa secret ing payload sing bisa dibaca — mangerteni JWT considerations iki penting jalaran JWT umum tapi sering salah nggunakake. **OAuth 2.0 lan OpenID Connect** (autentikasi delegasi — "Log in karo Google/GitHub") ngidini user autentikasi via trusted third parties tanpa berbagi password karo aplikasi mu, standar kanggo SSO lan social login.

Mangerteni mekanisme-mekanisme iki, kepiye bisa nggenah, lan **trade-off**-e (session statefulness lan revokasi gampang vs JWT statelessness lan kesusahan revokasi; OAuth kanggo delegasi autentikasi) penting banget kanggo milih pendekatan sing bener (session kanggo web app tradisional karo kontrol server, JWT kanggo APIs stateless, OAuth kanggo delegasi/social login) lan implementasi kanthi aman.

Autentikasi iku fundamental, lan nggatekake kanthi bener (mekanisme sing bener, implementasi sing aman) iku kritis banget kanggo keamanan.

Jalaran autentikasi iku fundamental kanggo paling aplikasi lan mekanisme-mekanisme (sessions, JWT, OAuth) duwe perbedaan penting lan trade-off sing mempengaruhi keamanan lan arsitektur, lan jalaran mangerteni iku butuh kanggo implementasi autentikasi kanthi bener, mangerteni mekanisme autentikasi umum iku ilmu keamanan sing penting lan bisa praktek — penting banget kanggo butuhan fundamental autentikasi, ngijini pilihan sing bener antarane sessions, JWT, lan OAuth lan implementasi sing aman-e, topik kunci kanggo nggawe aplikasi sing aman karo autentikasi sing bener.