Authentication and Authorization
Authentication and authorization are basically used for protection. Because both words begin with “auth,” it will be difficult to differentiate between the concepts of authentication and authorization. They are separate processes used to protect an organization from cyberattacks. Many web development frameworks allow built-in functionality for authentication and authorization; otherwise, we can implement these features through the available online libraries. These features should be implemented if your application has multiple modules or if you need to allow access to a specific role type. Within the.NET framework, for example, you could use role-based access control or claims-based access control. Laravel, which is one of the best frameworks in PHP, provides built-in support for these features, and Passport is the best package library that follows the auth2.0 protocol.
Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity. Then, when you arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to the plane.
What is Authentication?
Authentication is the process of identifying someone’s identity by ensuring that the person is the same as what he is claiming.
If the user can’t prove their identity, they cannot access the system.
It answers the questions who the user is?
The short form of authentication is AuthN.
What is Authorization?
Authorization determines the level and type of access to resources that a user has.
It answers the questions What permission does the user have?
The short form of authentication is AuthZ.
Difference Between Authentication And Authorization
There are big Difference between Authentication and Authorization. Let’s check one by one.
#1 Concept
Authentication is used to identify the user.
Authorization is used to allow permission to use resources.
#2 Techniques
Authentication:
- Usernames and passwords or Single Factor(SFA)
- Passwordless
- Two Factor(2FA)
- Multi Facor(MFA)
- Single Sign-on(SSO)
- Social Media
Authorization:
- Role-based access control(RBAC)
- JSON web token(JWT)
- Security Assertion Markup Language(SAML)
- OpenID authorization
- OAuth
#3 Priority
You need to perform authentication first. Then we can check the authorization.
#4 Visibility
The user can see details of authentication, while the user can’t see authorization details.
#5 Changebility
The user can change the details of authentication, but they can’t change the details of authorization. Only the owner of the system or authorized user who has grant and revok authorization can change authorization details.
#6 Required
Authentication requires an ID token, while an authorization access token is required to access specific resources.
#7 Determines
Authentication determines whether it is a verified user or not, while authorization determines whether the user has privileges or not.
#8 Protocol
Authentication uses the OpenID Connect (OIDC) protocol, while authorization uses the OAuth protocol.
#9 Example
Authentication:
By verifying employee identity, employees can get access to a human resources (HR) application which includes their personal payment information, vacation time, working hours, leave details, and other data.
Authorization:
Once their level of access is authorized, employees and HR managers can access different levels of data based on the permissions set by the organization.
Summarised difference Between Authentication and Authorization
- Concept
- Techniques
- Priority
- Visibility
- Changebility
- Required
- Determines
- Protocol
- Example
