Authentication
Since page requests are processed by Drupal as usual, Drupal's authentication and session handling stays fully working. Thus, when requests provide an authentication cookie, authentication just works. By default, cookie-based authentication with a separate frontend cookie is used.
Cookie-based authentication
Cookie-based authentication can be achieved in one of the following three ways:
1. Separate frontend cookie
This is the default configured of the provided project template. The Nuxt Drupal CE Connector module forwards the cookie of every request. Thus, when a user logs in on the frontend domain, the set-cookie header is also forwarded and a cookie gets set on the frontend domain and thus is applied automatically.
The login on the frontend works via the regular Drupal login form when the "Lupus Decoupled User Form" is enabled. Simply visit /user/login?destination=/ on the frontend to access it.
That way, the frontend login works with the same user accounts as the backend, but uses a separate session. The frontend and the backend needs a separate login. Also, since this variant requires a server, it only works in a server-rendered frontend setup.
2. Shared cookie domain
The Nuxt Drupal CE Connector module makes sure to forward a received cookie to the backend, such that authenticated requests just work. Instead of having a separate frontend cookie, Drupal may be configured to set the cookie on a shared, parent cookie domain. For example drupal.example.com and nuxt.example.com can both use the cookie on .example.com.
The Drupal cookie domain is configured via its services.yml file. Besides that, the project template supports setting the cookie domain via an environment variable, please refer to its README for further details.
3. CORS setup
When the JavaScript application sends requests directly to Drupal, it's possible to leverage cookie-based authentication when configuring CORS appropriately. Lupus Decoupled Drupal comes with a CORS submodule which takes care of the necessary setup. However, browser privacy features may intervene and not send the cookie to another domain reliably in some cases.
OAuth / OpenID Connect
Drupal provides great support for OAuth based login flows via the Simple OAuth extension module. A frontend may use it to authenticate all or some requests with it. For example, it might be useful for authenticating requests to a protected API that is called from the frontend server.