Lizard-auth-server, basis for is our Single Sign On server. So: someone only has to log in on this one website and is (semi-)automatically logged in on our other websites.

The previous version was much too complex, mostly because it mixed authentication and authorization. The new SSO only deals with authentication.

Authentication means logging in. You prove who you are by giving your username and password (or a JWT token). “I am Reinout van Rees”.

Authorization means determining what you’re allowed to do after you’ve authenticated yourself. “Reinout is allowed to delete existing sluices in the Nieuwegein website”.

Authorization thus depends on the kind of contents in the various websites and on their internal rights structure. This is different per site, so you cannot manage that in a central location.