Perhaps you are not comfortable or don’t know much about either of these two terms other than they start with the same four letters “auth”. Well, were you aware that the prefix “auth” is actually Greek for “self”? Both operations refer to being able to do things on one’s own behalf, but there are important distinctions between them that I will break down in plain English.
In the context of programming, authorization refers to checking that a user or entity has the ability to access specific resources based on their permissions.
Authorization is not the same thing as authentication. Authentication refers to a user or entity being able to prove their identity in order to access specific resources.
In as few words as possible:
Authorization — having permission to do something
Authentication—verifying identity in order to do something
Example of authorization
Let’s say there’s an app that serves companies and there are two types of users that can log into it: admins and employees (can you tell I work for Gusto). Let’s say the business logic of the app states that admins can see everything about employees at the same company including sensitive data such as birthdays and Social Security numbers. Employees can look at their own profile information, but not at other employee information at the company. Admins and employees certainly cannot look at any information about users at other companies.
What does this mean in terms of authorization? It means that when admin Adrian at Company A tries to look at Bryn’s Social Security number at Company B, then Adrian should be prevented from doing so. She is unauthorized to perform this action. Adrian can look at Anoushka’s SSN, though, because Anoushka works at Company A as an employee. Only Bryn and admins at Bryn’s company can look at her SSN because that is how the app’s authorization scheme is structured.
Example of authentication
When you’re in line to get into the club and have to pull out your driver’s license to verify that you are old enough to enter, that’s a form of authentication.
When a user logs in to Gmail or any other site with a username and password, they are authenticating their identity by entering the correct combination of these fields. This type of authentication is established on the premise that only the user themselves should know their own unique set of inputs and therefore providing the proper information is sufficient enough to allow them to access their profile. Two-factor authentication (or 2FA) is the practice of reproving identity by entering a code received as a text message or some other means of doubly confirming an individual’s credentials to access their account.
#authentication #oauth #app-development #authorization #security #mobile app
