Passport Authentication Flow Explained with Simple Concept Diagram

How the Passport authentication flow works end to end

The Passport authentication flow is a complete cycle that begins when a user attempts to log in and continues through session creation and subsequent requests. When login is successful, Passport receives a user object from the authentication strategy and immediately moves into the serialization phase. At this stage, serializeUser extracts a minimal piece of information, usually the user ID, and stores it in the session. This session is managed by express-session and persists across multiple requests.

What happens on each request after login

Once the session is created, every new request from the user carries session data. Passport reads this session and extracts the stored identifier. It then calls deserializeUser, which uses that identifier to fetch the complete user object from the database. After retrieving the user, Passport attaches it to req.user, making the user available throughout the request lifecycle without requiring repeated login.

Overall flow understanding in simple terms

In simple terms, the authentication flow can be understood as a loop where login creates a session, the session stores a small identifier, and every request uses that identifier to rebuild the full user object. This cycle ensures that authentication remains persistent, efficient, and secure while avoiding the overhead of storing full user data in the session.