One of the initiatives inside my company right now consists of working groups, each focused on a particular language/paradigm/idiom/etc. One of my working groups is the API working group, where we are trying to come up with prescriptive guidance on building APIs.
I am responsible for defining authentication approaches, which led me to today’s question:
Is session-based authentication dead?
With the evolution of OAuth2.0 to OpenID Connect, session-based authentication is not even in the running for APIs, which makes sense. Taking this one step further, the movement of “all the things” to microservices and APIs along the well-known issues of session authentication, is it possible that the authentication that built the web is taking its last breath?
Thoughts? Am I just late to the game?