Authorization vs Authentication

Because "auth" is ambiguous, we often see the distinguishing terms "authn" (authentication) and "authz" (authorization)

Both are an important part of identity and access management (IAM), but...

  • authn has to do with identity (who someone is)
    • authn can be carried out with username/password, 2FA, public key certificates, biometric etc.
  • authz has to do with permissions (what an authenticated user is allowed to do)
    • authz can be carried out with RBAC (role-based access control), ABAC (attribute-based access control)

anal: think of authorization as a subway ticket. The ticket is in no way attached to your identity, since you just got it from the machine. You could give this ticket to someone else, and it would authorize them to enter the platform and board the train. Authentication on the other hand, is about identity. If Authorization is a subway ticket, then Authentication is a finger print scan.

Basic Authentication

HTTP provides its own form of basic authentication out of the box. It works by combining the username and password with a : separator, then base64 encoding the string.

  • dangerous, since we are passing the password on every request.

Because of SSL, sending plaintext passwords from the client to the server is perfectly fine.

  1. Auth Tokens
  2. Passport
  3. Session