So I have read through the extensive documentation here about Authentication and Authorization, but I am a little confused on the implementation details.
What does the flow look like when using these services from a web application?
Do you have the user authenticate in a GUI and then continue using the secured services or do you have the application authenticate in order for it to access the services?
Are there any good examples out there of a solid implementation?
ServiceStack's Authentication and Sessions works just like any other web application, i.e. it relies cookies to maintain the identity of each request.
When you authenticate with ServiceStack, an Authenticated Session is established that gets attached to the cookies set in the HTTP Response and re-sent in future HTTP Requests. See the Session documentation for more info on how Sessions work in ServiceStack and what cookies are used.
This earlier answer describes how to remotely (or locally) authenticate with a ServiceStack instance, which if you're going through a Proxy like MVC will need to transfer the cookies to re-establish with the authenticated session. Otherwise in a GUI application you just need to re-use the same ServiceClient instance that was used to authenticate (i.e. so the cookies are re-sent on subsequent requests).
