Comprehensive Overview of Authentication: From Historical Tokens to Modern OAuth 2.0 and WeChat Mini‑Program Practices

The article presents a thorough discussion of authentication (鉴权) across various contexts, emphasizing that authentication is fundamentally about proving identity and determining the actions a user is permitted to perform.

1. Ubiquitous Authentication – Real‑world examples such as identity cards, ancient “照身帖”, and the “鱼符” are described as early token‑based authentication methods. These historical tokens are likened to modern password‑based authentication, both belonging to the token‑based authentication category.

2. Simple Password Authentication – A metaphor of a lock and key illustrates how a password (or token) grants access to resources. The characteristics of a password‑based system are listed: simplicity and a cost to forge or obtain the secret.

3. Authentication Optimization – Frequent authentication scenarios can be optimized by retaining authentication state (e.g., session, cookie, token) for a limited period, reducing the need for repeated credential verification.

4. Third‑Party Authentication – OAuth 2.0 – The need for a trusted third party to validate tokens is introduced, followed by a detailed description of the OAuth 2.0 flow, especially the web‑server grant type. The steps are illustrated with code‑style parameters such as appid , appkey , and temporary token exchanges.

Example flow (simplified): 1) User clicks a third‑party login button. 2) Browser redirects to the third‑party login page with appid and callback URL. 3) After user authentication, the third‑party redirects back with a temporary token. 4) Server exchanges the token and appkey for user information.

5. Authentication in WeChat Mini‑Programs – Mini‑program server APIs require an access_token parameter. The token is obtained via the auth.getAccessToken interface, whose request and response structures are shown in the original diagrams.

Typical usage: access_token is passed with each API call to prove the mini‑program’s permission to act on behalf of a user.

6. Simplified OAuth 2.0 for Mini‑Programs – The mini‑program obtains an access_token by sending appid and secret to the Authorization Server (grant_type=client_credentials). The token (usually valid for 2 hours) is then used to call the Resource Server.

7. Cloud Call – Authentication‑Free Mechanism – WeChat Cloud Development introduces “cloud call”, allowing mini‑programs to invoke server‑side APIs without manually fetching an access_token . By using the wx-server-sdk within a cloud function, the platform automatically handles authentication, greatly simplifying architecture.

The article concludes with a forward‑looking discussion on future authentication trends, including biometric methods, decentralized authentication using blockchain, and machine‑learning‑driven trust models.