Two fundamental security concepts that control who can access what in applications.
Authentication answers: "Who are you?" - Proving your identity. Authorization answers: "What are you allowed to do?" - Permissions after identity is verified.
Think of airport security: Authentication is showing your passport (proving who you are). Authorization is your boarding pass determining if you can enter business class or economy (what you can access).
Authentication verifies identity. Common methods:
Username/Password: Traditional login. You prove you know the secret password.
Multi-Factor Authentication (MFA): Password + something else (SMS code, authenticator app, fingerprint). More secure because one factor can be compromised but not all.
Biometrics: Fingerprint, face recognition. Your physical traits prove identity.
OAuth/Social Login: "Login with Google" - let trusted providers verify your identity.
Passwordless: Magic links sent to email, or authenticator apps. No password to remember or steal.
After authentication proves who you are, authorization determines what you can do.
Role-Based (RBAC): Users have roles (admin, editor, viewer). Roles have permissions.
No related topics found.
Permission-Based: Direct permissions to users. "User A can edit posts in category X."
Attribute-Based (ABAC): Complex rules based on attributes. "Managers can approve expenses under $5000 in their department."
Google Docs:
AWS Console:
Slack:
Session-Based:
Token-Based (JWT):
Check on Every Request:
function deletePost(userId, postId) {
const post = getPost(postId);
// Authorization check
if (post.authorId !== userId && !isAdmin(userId)) {
throw new Error("Unauthorized");
}
// Proceed with deletion
database.delete(postId);
}
Middleware Authorization:
app.delete("/posts/:id",
authenticate, // Verify identity
authorize("admin"), // Check permissions
deletePostHandler // Actual logic
);
Authentication:
Authorization:
Confusing the Two: Passing authentication does not mean authorization. Just because someone logged in does not mean they can access everything.
Client-Side Only Checks: Never rely on frontend to hide buttons. Always verify permissions on backend. Clever users bypass frontend restrictions.
Hardcoded Roles: Avoid if (user.email === "admin@company.com"). Use proper role systems.
No Token Expiration: JWTs without expiration work forever if stolen.
JWTs often combine both:
{
"userId": "123", // Authentication (who)
"email": "rohan@co.com",
"roles": ["admin"], // Authorization (what they can do)
"exp": 1735689600
}
Server decodes JWT to get both identity and permissions in one token.
Every application needs authentication and authorization. Understanding these deeply is critical for:
Authentication and authorization are not optional. They are the foundation of secure applications.