I was reading about Sessions in this article https://auth0.com/docs/users/sessions

It says when a user logs in, two types of sessions are create

Two sessions are created:

The local session (storezero.io): Allows the application to know if a user is authenticated.

The session on the Authorization Server (storezero.auth0.com): Allows the Authorization Server to know if a user is authenticated and optionally, tracks other information. For example, the Authorization Server can track whether a user has authenticated using MFA. If so, the next time the user arrives at the Authorization Server, they won't need to see a login page or be prompted to use MFA again.

It says "the next time the user arrives at the Authorization Server, they won't need to see a login page or be prompted to use MFA again."

What does this sentence exactly mean? why wouldn't they see a login page?

What role does the session on the Authorization server? Why is it important to store sessions in the authorization server? If we use JWT tokens to authenticate, I don't see any use in storing the sessions on the server. (Because JWT tokens can be validated by the resource server and don't need to communicate with the authorization server)

CodePudding user response：

For example, when you login on gmail.com, then you are redirected to https://accounts.google.com/ and you authenticate there. You will also get a session cookie with accounts.google.com. Then you are redirected back to gmail.com. Geat!

When you next want to go to https://calendar.google.com/, then you will be redirected to accounts.google.com to authenticate, but as you are already signed in there (using the session cookie), then you will be automatically be signed in to calendar.google.com as well.

So by having a session with your identity provider, then you can get a single-sign-in (SSO) experience across multiple services. (Assuming the scopes required does not change).