## What is the Difference?
**Authentication** answers: "Who are you?" - Proving your identity.
**Authorization** answers: "What are you allowed to do?" - Permissions after identity is verified.
Think of airport security: Authentication is showing your passport (proving who you are). Authorization is your boarding pass determining if you can enter business class or economy (what you can access).
## Authentication Explained
Authentication verifies identity. Common methods:
**Username/Password**: Traditional login. You prove you know the secret password.
**Multi-Factor Authentication (MFA)**: Password + something else (SMS code, authenticator app, fingerprint). More secure because one factor can be compromised but not all.
**Biometrics**: Fingerprint, face recognition. Your physical traits prove identity.
**OAuth/Social Login**: "Login with Google" - let trusted providers verify your identity.
**Passwordless**: Magic links sent to email, or authenticator apps. No password to remember or steal.
## Authorization Explained
After authentication proves who you are, authorization determines what you can do.
**Role-Based (RBAC)**: Users have roles (admin, editor, viewer). Roles have permissions.
- Admin: Can delete users, modify settings
- Editor: Can create/edit content
- Viewer: Can only read
**Permission-Based**: Direct permissions to users. "User A can edit posts in category X."
**Attribute-Based (ABAC)**: Complex rules based on attributes. "Managers can approve expenses under $5000 in their department."
## Real-World Examples
**Google Docs**:
- Authentication: Login with your Google account
- Authorization: Can you view, comment, or edit this document?
**AWS Console**:
- Authentication: Username/password + MFA
- Authorization: IAM policies determine which services you can access
**Slack**:
- Authentication: SSO login via company identity provider
- Authorization: Workspace permissions (admin, member, guest)
## Common Authentication Flows
**Session-Based**:
1. User logs in with credentials
2. Server creates session, stores in database
3. Server sends session ID cookie to browser
4. Browser includes cookie in every request
5. Server looks up session to verify identity
**Token-Based (JWT)**:
1. User logs in with credentials
2. Server issues JWT token
3. Client stores token (localStorage/cookies)
4. Client includes token in request headers
5. Server verifies token signature
## Common Authorization Patterns
**Check on Every Request**:
```javascript
function deletePost(userId, postId) {
const post = getPost(postId);
// Authorization check
if (post.authorId !== userId && !isAdmin(userId)) {
throw new Error("Unauthorized");
}
// Proceed with deletion
database.delete(postId);
}
```
**Middleware Authorization**:
```javascript
app.delete("/posts/:id",
authenticate, // Verify identity
authorize("admin"), // Check permissions
deletePostHandler // Actual logic
);
```
## Security Best Practices
**Authentication**:
- Hash passwords (bcrypt, Argon2), never store plain text
- Enforce strong password requirements
- Implement rate limiting to prevent brute force
- Use MFA for sensitive operations
- Expire sessions/tokens after reasonable time
**Authorization**:
- Principle of least privilege (give minimum necessary access)
- Check permissions on server, never trust client
- Revoke access immediately when users leave/change roles
- Audit access logs for suspicious activity
## Common Mistakes
**Confusing the Two**: Passing authentication does not mean authorization. Just because someone logged in does not mean they can access everything.
**Client-Side Only Checks**: Never rely on frontend to hide buttons. Always verify permissions on backend. Clever users bypass frontend restrictions.
**Hardcoded Roles**: Avoid `if (user.email === "admin@company.com")`. Use proper role systems.
**No Token Expiration**: JWTs without expiration work forever if stolen.
## JWT and Authorization
JWTs often combine both:
```
{
"userId": "123", // Authentication (who)
"email": "rohan@co.com",
"roles": ["admin"], // Authorization (what they can do)
"exp": 1735689600
}
```
Server decodes JWT to get both identity and permissions in one token.
## Career Relevance
Every application needs authentication and authorization. Understanding these deeply is critical for:
- **Backend developers**: Implement secure login and permission systems
- **Frontend developers**: Handle auth flows, show/hide UI based on permissions
- **Security engineers**: Design secure authentication systems
- **System designers**: Architect multi-tenant applications with complex permissions
Authentication and authorization are not optional. They are the foundation of secure applications.
