So I just got done shopping at Costco and had a small epiphany. Let me know if I am way off here (right, like you guys wouldn't anyway

)...
At it's most basic form, authentication is the verification of identity. Before anything can be authenticated, something needs to be identified so a match between a given and a known can be established. In our case, we are talking about user authentication. The app will not identify the user. The user will identify himself. The app will take the identity the user supplies and see if that identity matches what the system knows about that identity. A user that does not identify himself would be, well, unknown. A user that chooses to identify himself would, in essence, tell the server that he is now a known person. The server would then process that information and, if the information is authentic, would tell the user that he checks out.
So this leads me to the belief that this app should address user identification which then immediately leads into user authentication. Not to trivialize the process, but something along the lines of...
Server: Hello there, welcome to our site. I am the Server. Who are you?
User: Me? For now, I'm nobody. (The user is unknown)
Server: Very well, since I do not know you I can only offer certain things to you. Please contact me again if there is anything I can do for you.
... time passes ...
User: Ok, I'm ready for more stuff.
Server: Ok, who are you.
User: I'm JoBob.
Server: And do you have your key to get in?
User: Sure, it is Pa$$w0rd.
Server: Hang on a sec, let me make sure this checks out... Thank you JoBob, welcome in.
So at this point, the user is authenticated (or not). What now? Nothing. That's right, nothing. Authentication is done. We're all happy.
But wait, how do we know if this user is allowed to go certain places and do certain things? Simple, add in Authorization and Access Control. Authorization is the system's process by which the authenticated user is either approved or not approved to do certain things. This is not to be confused with being able to go into certain places. This is along the lines of...
User: I want to change the name of this place.
Server: Very well, let me see what you can do... Sorry, but you are not authorized to do that.
User: Well, what am I authorized to do?
Server: Well, let me check... here is a list of things you can do...
Access Control, I would guess, would be the process the system follows to determine whether an authenticated user is allowed into a certain area...
User: I want to go see everyone that is in this place right now.
Server: Very well, let me see if you can go in there... Sorry, but you are not allowed in there.
User: But I'm JoBob. Why can't I go in there?
Server: I know you're JoBob. But only certain people can go there, and according to my records, JoBob is not in the list of allowed people...
So thinking of these processes, I began to think that if we are looking at authentication, we should keep an eye on Authorization and Access Control, but not code authentication around them. In it's essential form, authentication only verifies identity. Nothing more or less. Authentication does not depend on any other developed process. It only depends on information supplied by the user and information known in the system.
Authorization and Access Control, however, depends on authentication. Can we build these into the authentication app? Certainly. But if we are focusing on authentication, we should develop that first and use it's by-products as a featureset of Authorization and Access Control.
And as I run through this thought, session handling is probably not a needed aspect of authentication unless user tracking is a requirement of the app by the end-user (which I am sure some developers would want).
So to recap, my thoughts on this are:
1. Develop Authentication independent of anything else that the app may offer.
2. Develop Authorization (process authentication in essence) as a dependent to Authentication within the scope of this app.
3. Develop Access Control as (location authentication in essence) as a dependent to Authentication within the scope of this app.
4. Develop a barebones session handling wrapper in the event the users of this app want it, but not as a requirement to anything within the app.