Zum Inhalt springen

Authentication Vs Authorization

I recently stumbled upon this age-old question about the difference between Authentication and Authorization while working on the sign-in page using OAuth 2.0 for a project. I realised OAuth 2.0 is primarily an authorization protocol and uses OIDC (Open ID Connect) to authenticate.

Here’s how I like to think about the difference:

  • Authentication is Who You are?
  • Authorization is What You Are Allowed To Access?

Let’s break it down with an example. Suppose you(client application) want to check into a hotel, you’ll first need to provide the booking details and some identity card(login info) for the hotel to identify you (Who You Are). The hotel authenticates you and then provides you access to a single room and other amenities like the pool, the gym, breakfast area, i.e, you are allowed to access only certain areas (What You Are Allowed To Access).

A real-world example is, when we click on a sign-in using Google button in an application we are first routed to a sign in page (Authentication) which prompts us to enter the password if the user is not already signed in and then we go to the page where we are asked to select all the permission that we are allowing the application to access on behalf of our user (Authorization)

These two are mostly implemented separately because they provide:

  • Scalability: We can have different authentication providers that are responsible for Authentication while needing the same Authorization needs for the application.
  • Security: Even if someone bypasses authentication, they will still need authorization access.

And the separation of concerns allows granular and maintainable implementations.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert