DEV Community

Cover image for Authentication vs. Authorization
Phil the Dev
Phil the Dev

Posted on

Authentication vs. Authorization

When building web applications, there are two key security terms you need to know - Authentication and Authorization. They may seem similar, but they have different roles in ensuring the security of an application. Let's simplify these concepts a bit.

Authentication

Authentication is all about proving who you are to the system. It is the process of validating a user's identity. It could be a user, a login, or a session. The system checks if the person is genuinely who they claim to be. This is often done using a username and password, but it could also involve more advanced methods like biometric scans or two-factor authentication.

Imagine logging into a website. You enter your username and password, and the website checks if they match what it has on record. If it's a match, you're authenticated. You've successfully proved your identity to the system.

Authorization

After the system knows who you are (thanks to authentication), it needs to know what you can do within it. This is where authorization comes into play. Authorization is all about permissions - it determines what actions you can take or what resources you can access in the system.

Think about using a computer where you're not the admin. You can do some things (like creating a document), but not others (like installing new software). That's an example of authorization at work.

Visualization of both processes together

The Core Difference

In simple terms, authentication is about proving who you are, while authorization is about what you can do in the system.

Think about it this way: Authentication is like unlocking and entering your house with a key. Authorization is like knowing which rooms you're allowed to go into once you're inside.


Summary

Both authentication and authorization are important for web security. If a system doesn't manage these well, it's like leaving your front door wide open - not a good idea!

How you use these processes depends on your application's needs, the tools you're using, and how secure you want it to be. You could use something like JSON Web Tokens (JWT) to manage both processes, or OAuth if you want to let third parties have access without exposing user credentials.

In summary, knowing the difference between authentication and authorization is important for building secure web applications. They're two different concepts, but both are key parts of web security.

Top comments (10)

Collapse
 
sid262000 profile image
SID262000

Excellent article! Really appreciate the crisp, concise and simple to understand mode of communication. Looking forward to more such articles

Collapse
 
simplifycomplexity profile image
Kiran Randhawa

One minor point in your sequence diagram (great use of mermaid btw).

I was initially wondering should the user verify providing their permissions? Then I remmebered that the permissions are probably obtained from a JWT. Might be a good idea just to mention that for those who don't know?

Collapse
 
dickhardt profile image
Dick Hardt

A JWT is one of many ways of representing authorization. You are likely thinking of a common OAuth 2.0 flow.

Collapse
 
albertofdzm profile image
Alberto Fernandez Medina

This topic is usually neglected. I found that this article could be enlightening to people that don't know the differences between these two terms.

As a backend developer, I found myself discussing this topic with my colleagues every time we need to identify our app users or to limit access to some resource. On most occasions, there is misunderstanding of what logic should go where, often bounding authentication with authorization together, causing unintended technical debt that will cause plenty of problems when you want to iterate over one of those logics.

Thanks for sharing!

Collapse
 
melkye profile image
Melkye

Hey, Alberto!
Could you please tell a bit more about problems such a bounding cause? I lack some specifics to understand it clearly.

Collapse
 
dickhardt profile image
Dick Hardt

Authentication is verifying a set of credentials with an account. The credentials could be a username/password, passkey, TOTP, PIN etc.

The entity interacting with your app may be any user that has the credentials, or a another application. Knowing you are interacting with a specific user is much more nuanced.

Collapse
 
fruntend profile image
fruntend

Сongratulations 🥳! Your article hit the top posts for the week - dev.to/fruntend/top-10-posts-for-f...
Keep it up 👍

Collapse
 
windyaaa profile image
Windya Madushani

Excellent article.

Collapse
 
itechdom profile image
Sam Alghanmi

Thank you! Absolutely necessary to clarify the difference between the two as they are often conflated

Collapse
 
ed1nh0 profile image
Edson Jr.

There's no better way to explain like you did. Thank you!