DEV Community

Phil Liao
Phil Liao

Posted on

Clarifying Authentication and Authorization with Lupe Fiasco

(This post is a fragment of a post from Software Mentor - a newsletter aimed at accelerating the careers of junior engineers)

When we talk about web security, two extremely important ideas often come up: Authentication and Authorization.

They confused me for years, and I avoided their distinction by blurring them under the topic of "Auth".

But don't be like me - let's clarify what these two words mean. To do so, let's get some help from our friend Lupe Fiasco, whose hit song "Superstar" is an excellent mnemonic for Authentication and Authorization. Let's see why:

Authentication - often referred to as AuthN, is all about proving your identity. The key lyrics from Superstar: ๐ŸŽค๐ŸŽถ โ€œIf you are, what you say you are - a superstar, then have no fear, the camera's here, and the microphone - and they wanna knowโ€. An authentication system cares about you proving your identity. It might not give you a camera or a microphone, (more likely it'll ask for a password or a fingerprint scan), but it just wants to know, if you really are who you say you are.

Authorization - often referred to as AuthZ, is all about determining your access level. The key lyrics from Superstar: ๐Ÿ—ฃ "Well, your name ain't on the guest list, who brung you? You! The more famous person you come through". The more famous person has greater privileges at this party. AuthZ is all about checking our directory (our guest list) to see what level of privileges you get.

So AuthN - are you who you say you are? (Identity)
And AuthZ - are you on the guest list? Then you come through. (Privileges)

Thanks Lupe!

Top comments (0)