Authorization and Authentication

Both the terms are often used in conjunction with each other in terms of security, especially when it comes to gaining access to the system. Both are very crucial topics often associated with the web as key pieces of its service infrastructure. However, both the terms are very different with totally different concepts. While it’s true that they are often used in the same context with the same tool, they are completely distinct from each other.

There’s a big difference between gaining successful entrance to the king’s castle (Authentication) and what you are allowed to do once you are inside (Authorization). Chances are, as a visitor, your actions and movement will be restricted and for good reason. Just because you got through that big iron door does not mean you are allowed to do whatever you please.

Authentication means confirming your own identity, while authorization means granting access to the system. In simple terms, authentication is the process of verifying who you are, while authorization is the process of verifying what you have access to.

What Is Authentication ?

Authentication is the process of verifying the identity of a user by obtaining some sort of credentials and using those credentials to verify the user’s identity. If the credentials are valid, the authorization process starts. Authentication process always proceeds to Authorization process.

You were probably already familiar with the process of authentication, because most of us perform it most every day, whether at work (logging onto your PC) or at home (logging into a website). The truth is, in order to access most “things” that face the Internet, you have to prove who you are by supplying credentials. However, once you authenticate, there are many decisions that happen seamlessly in the background, thanks to the secret powers of an administrator.

Authentication factors determine the various elements the system use to verify one’s identity prior to granting him access to anything from accessing a file to requesting a bank transaction. A user’s identity can be determined by what he knows, what he has, or what he is. When it comes to security, at least two or all the three authentication factors must be verified in order to grant someone access to the system.

What Is Authorization ?

Authorization is the process of allowing an authenticated users to access the resources by checking whether the user has access rights to the system. Authorization helps you to control access rights by granting or denying specific permissions to an authenticated user.

Authorization, on the other hand, occurs after your identity is successfully authenticated by the system, which ultimately gives you full permission to access the resources such as information, files, databases, funds, locations, almost anything. In simple terms, authorization determines your ability to access the system and up to what extent. Once your identity is verified by the system after successful authentication, you are then authorized to access the resources of the system.

Once you authenticate, you are then granted authorization or permissions to perform certain allowed tasks. In most cases, an administrator of that system provides permission through use of controls. What do we mean by allowed? An example would be authenticating to your bank website. Successful authentication will not give you the ability to look into other customer accounts or withdraw money that is not your own. Authentication does not give “keys to the castle”, as you are only authorized to access a room in the castle and not the moat.

To summarize, authentication grants you consideration of sorts. If you can’t authenticate successfully you are no longer going to be considered. The conversation between you and the application you want to access will be very short, resulting in denied access and possibly account lockout.

Authorization however, gives you the actual ability to perform allowed functions once you authenticate. A bank customer representative logged on as a bank employee (and not as a customer) can access many accounts and perform additional functions that you, as a bank customer, cannot and for good reason. Hopefully you now “care” that there is such a thing as authorization and are eager to know more.

What Is The Difference Between Using Cookie, Session, And Token-Based Authentication ?

Cookie is a string that is stored in your web browser. Often it contain a key that identifies you on the server. A session is data containing information about an authenticated user in the server stored in someway like a file or in-memory database. To find it you should have an identifier.

In the session based authentication, the server will create a session for the user after the user logs in. The session id is then stored on a cookie on the user’s browser. While the user stays logged in, the cookie would be sent along with every subsequent request. The server can then compare the session id stored on the cookie against the session information stored in the memory to verify user’s identity and sends response with the corresponding state!

Session Based Authentication flow

Many web applications use JSON Web Token (JWT) instead of sessions for authentication. In the token based application, the server creates JWT with a secret and sends the JWT to the client. The client stores the JWT (usually in local storage) and includes JWT in the header with every request. The server would then validate the JWT with every request from the client and sends response.

Token Based Authentication flow