...
| Authentification Mechanism | Used By | Description | Protection Level |
|---|---|---|---|
| Session Login | End-Users | Restricts the permission on specific routes by validating the session ID of a request. If an end-user does not hold an approved session ID he has to authenticate himself over a login page with a username and password. If the login was successful, the end-user's session ID becomes active. | Web pages with restricted functions. |
| oAuth2 (RFC6749) | Applications | Restricts the permission on specific routes by validating an access token within the request's header. If an application does not hold an active access token it has to request a token from the oAuth2 authentication authorisation server. Each route is tagged with one or multiple 'scopes' which groups protected resources. An access token is related with a list of scopes and only provides access to correspondingly tagged resources. | Restricted REST resources. |
...