As a web developer, you come across the terms “authentication” and “authorization” a lot. Some developers incorrectly use these two terms interchangeably. In fact, authorization and authentication are two different programming terms that web developers should know. They aren’t interchangeable although they have discreet differences. These differences will help you understand your own code, website APIs on third-party sites, and any code you’re tasked with managing in the future.
What is Authentication?
Authentication is the process of confirming who you are. When you log in to a website, the website program checks your user name and password against what it has stored from a previous session. If the values match, the website program determines that you are indeed “you” when the login process completes. If you accidentally type a wrong password into the login form, the program triggers a security response that blocks you from accessing any private areas of the site. If you attempt to log in with the wrong credentials too many times, the website program might lock the account to secure your privacy.
Authentication procedures are performed in almost any application. Most desktop applications don’t use it, because it’s assumed that only you have access to your physical machine. Of course, there are some security flaws associated with this assumption, but for the most part, authentication only occurs when more than one person has access to a system.
Third-party web APIs, networking systems, servers, and several external systems use authentication to verify who is accessing a system. If you do any transactions online, you are guaranteed to run into authentication procedures.
What is Authorization?
Authorization sometimes involves authentication, but the process is completely different. Authorization is the process of determining what parts of a system you have access to. In other words, what are you authorized to do once you are authenticated? Authorization is a tiered model that uses roles and permissions. For instance, a system might have an administrator role and a customer service role. Each role has a set of permissions. Administrators have full control of the system, so they have all permission rights. Customer service roles only have permissions to access customer information, look up customer orders and help customers make payments. They can’t, for example, make changes to a global system setting.
While authentication is usually a part of every system, authorization is only used where a tiered level of access is needed. For instance, in a networking environment, you have servers that control permissions. Servers should allow users to access information, but users can’t change a server’s settings. Roles and permissions can get complex with larger systems. The administrator is usually in charge of setting up and managing permissions and roles.
The security differences between authorization and authentication are well-defined, but some new programmers get the two mixed up. Make sure you know the difference, because you’ll be asked to implement roles and permissions at some point during web development. You also need to work with these two processes when you integrate third-party applications. Knowing the difference helps you create a stronger, more secure environment for your users.
Photo by BuildArk