Authentication is a difficult topic fraught with potential pitfalls and complicated configuration options. Panel aims to be a “batteries-included” package for building applications and dashboards and therefore ships with a number of inbuilt providers for authentication in an application.
The primary mechanism by which Panel performs authentication is OAuth 2.0. The official specification for OAuth 2.0 describes the protocol as follows:
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
In other words OAuth outsources authentication to a third party provider, e.g. GitHub, Google or Azure AD, to authenticate the user credentials and give limited access to the APIs of that service.
Note that since Panel is built on Bokeh server and Tornado it is also possible to implement your own authentication independent of the OAuth components shipped with Panel, see the Bokeh documentation for further information.