What do authorization and authentication actually mean?
Perhaps you are not comfortable or don’t know much about either of these two terms other than they start with the same four letters “auth”. Well, were you aware that the prefix “auth” is actually Greek for “self”? Both operations refer to being able to do things on one’s own behalf, but there are important distinctions between them that I will break down in plain English.
In the context of programming, authorization refers to checking that a user or entity has the ability to access specific resources based on their permissions.
Authorization is not the same thing as authentication. Authentication refers to a user or entity being able to prove their identity in order to access specific resources.
In as few words as possible:
Authorization — having permission to do something
Authentication—verifying identity in order to do something
Example of authorization
Let’s say there’s an app that serves companies and there are two types of users that can log into it: admins and employees (can you tell I work for Gusto). Let’s say the business logic of the app states that admins can see everything about employees at the same company including sensitive data such as birthdays and Social Security numbers. Employees can look at their own profile information, but not at other employee information at the company. Admins and employees certainly cannot look at any information about users at other companies.
What does this mean in terms of authorization? It means that when admin Adrian at Company A tries to look at Bryn’s Social Security number at Company B, then Adrian should be prevented from doing so. She is unauthorized to perform this action. Adrian can look at Anoushka’s SSN, though, because Anoushka works at Company A as an employee. Only Bryn and admins at Bryn’s company can look at her SSN because that is how the app’s authorization scheme is structured.
Example of authentication
When you’re in line to get into the club and have to pull out your driver’s license to verify that you are old enough to enter, that’s a form of authentication.
When a user logs in to Gmail or any other site with a username and password, they are authenticating their identity by entering the correct combination of these fields. This type of authentication is established on the premise that only the user themselves should know their own unique set of inputs and therefore providing the proper information is sufficient enough to allow them to access their profile. Two-factor authentication (or 2FA) is the practice of reproving identity by entering a code received as a text message or some other means of doubly confirming an individual’s credentials to access their account.
Authorization and authentication used together
Have you ever come across an app that you wanted to use but it required you to make an account, so you let out a sigh and opted to log in with Facebook because you didn’t want to create your 200th password? Logging in to an app through an external account is known as “Single Sign On” (or SSO) and often is based on an OAuth protocol which makes use of both authorization and authentication practices. OAuth is a standard procedure that authorizes apps to access information from third party sites by using a system of HTTP calls and tokens. Tokens are granted to the “client” (aka the app that’s using Facebook as a means for logging in) if the “authorization server” (Facebook) has validated that the client is trustworthy beforehand and the user can authenticate themselves by providing their username and password for that account. If you’re already logged into Facebook, then the authentication step happens automatically which is why the experience appears to be seamless in those cases.
With authorization, a user is simply either allowed do something or not. With authentication, the user has to prove that they can do something in order to do it. When developing applications, it’s important to ensure that both of these processes are accounted for in order for data to be safely accessible. Users need to confirm that they have access to their accounts before being let in and should not be able to retrieve or edit data that is off limits to them.
