How Brave's Services Authenticate Users
You may notice while browsing our various services that you usually don't need to use an independent username and password for authentication. Instead, upon hitting the login button for any of our services you are redirected to Eve's Login Server, and then redirected back to the service upon logging in and selecting a character. We use two technologies to accomplish this: The Eve Online SSO, and Brave Core Services.
The Eve Online SSO
Eve Online's Single Sign On (SSO) service allows third-party applications to associate a user with one or more of their Eve Online characters. To start this process, a service will first generate a link to the Eve Login Server, containing information about the service and (in the case of some services) the scope(s) of the information it wants to be able to access from ESI (Eve's API).
After you navigate to that link, log in, and select a character, the login server redirects back to the service with an authorization code, which is finally exchanged for an Access Token. This Access Token can be used to query various ESI Endpoints from the perspective of that character (depending on the scopes requested by the login), but more importantly contains the ID of the character logged in, thus verifying that you control it.
You can learn more about the Eve Online SSO Authorization Flow here.
Brave Core Services
Brave Core Services (sometimes called Core or Neucore) is Brave's permission management system. Permissions in the form of Core Groups are assigned in a variety of ways; some automatically, some after approval of a Joinus application, and some manually. This is always the first service we ask new members to setup, as access to all other services stems from it.
Upon receiving your Character ID from Eve's SSO, a service will query Core to see if that character's Core Services Account has any Core Groups that are relevant to the service. Those Core Groups are then used to determine what you have access to within that service.