Software Engineering Best Practices

Authentication vs Authorization - When and How to Use Them

Authentication vs Authorization - When and How to Use Them

A guide to understanding the concepts of Authentication and Authorisation through real-world examples

Babatunde Adenowo's photo
Babatunde Adenowo
·

5 min read

Photo by Matze Bob on Unsplash

Are they the same concepts?

No, both concepts are often misinterpreted and interchanged when in fact the only thing they do have in common is, maybe..., validation in the form of doing a check before allowing an operation, when and why they do the checks sets them totally apart and one could never be used in place of the other. Usually, an average app that deals with users and user data almost always require Authentication, and in most cases Authentication needs to come before Authorization. We'll see why in a minute.

What is Authentication?

Well, I like to start explanations to any concepts with real-world representation as that makes it more relatable and we don't have to use too much jargon in the process. Recall how you arrive at the airport with your passport and visa? and the first thing they do check is the passport to confirm that you truly are who you claim to be? That is Authentication, it is like an identity check that is carried out on users on entering into a site or app.

When must we Authenticate users?

authenticate Well, what would be the purpose of an identity check at a random street carnival, or in a crowded rural marketplace? It would be unnecessary if you ask me because nobody cares who goes in and exits those places, it's free for all and usually, people don't get tagged to their actions because once these events are over no information needs to be stored about anyone. Now imagine the implications of not performing any checks on identity at places like the airport, hospitals, schools e.t.c. Mr. A could travel around the world using Mr. B's passport, you go in for your regular check-up and the doctor has no record of you because they never collected any data to identify you, your grades in school got selected from a random person's exam score because the school doesn't have any means of identifying who submitted what and who got an F in Mathematics, catastrophic! isn't it? From these few case studies above, we can draw out some reliable pointers that'll help us determine when Authentication is necessary.

  • When users need to be identified for a later purpose like in the case of a medical record. Does your app provide user-specific features? if yes, then you need to Authenticate.
  • When users need to be responsible for their actions, that is every action gets attached to a specific identifiable user, like making a Twitter post, submitting an assignment, or subscribing to a service.

What is Authorization?

Unlike Authentication which is focused on identity and answers the question - who are you? Authorization is more about privileges - like, Ok I know you're Marshall Mathers but do you have the right to walk into the white house? No sir, you'll have to turn around now! That is Authorization. Now see stated earlier that in most cases, Authorization has to come before Authentication because if the system cannot identify you, it's impossible to find the privileges attached to your identity and in these cases, the answer will always be "no, you cannot access this resource" unless there is no Authorization system in place at all.

When must we make use of Authorization?

authorization You might think Authorization can be sacked in most use-cases where Authentication is employed, in this section, you'll discover that they are used together more often than not. Let's revisit some of our real-world examples of Authentication. In the airport case study, checking a passenger's visa and a ticket is a form of Authorization, the visa proves that a passenger is eligible to visit their destination country/state, while the ticket validates getting on the plane. In the case of a school system, the fact that a user identified as a student is restricted to receiving assignments and only staff-level users can assign tasks is a common example of Authorization being used in such a system. In the hospital also, only the medical folks are allowed in the labs and operation theatre, which also, is Authorization. We can now come to a conclusion on the need for Authentication and put together a few pointers too as to when Authentication is required.

  • When there are personalized contents or resources. Like each user's dashboard should only be accessible by the user whose data is represented.
  • When there are multiple user-types with varying privileges across the app resources, like in the school case where we have staff users and student users who use the app differently.
  • When there are protected routes or resources, even if there is no call to action leading unauthorized folks to these resources, people can always manually go to a URL so it is good practice to perform Authorization on every request to a protected resource.

Should you do it yourself?

Errrm... You could of course implement basic Authentication and Authorization, but considering the heavy-lifting involved like storing user data and protecting them, along with the risk of a security breach, you might agree that it is best to leave that aspect of your application to the masters in the art as you are guaranteed a more robust Auth system. This is not supposed to scare you away from implementing your own Auth system if you think you can successfully manage it, it is rather a suggestion considering all of the boxes that need to be ticked when implementing a basic Auth system from scratch as well as managing the system.

Try Auth0 - Personal suggestion

At the time of this writing, Auth0 is my go-to service provider for Authentication and Authorization, I mostly use their React SDK for my frontend apps but they do provide implementation media for most other popular stacks and frameworks too.

Why Auth0?

  • Covers most of the use cases you'll ever need from simple user login to more complex multi-factor authentication to API authorization.
  • Seamless integration with common tech stacks and framework, I have personally tried with React.
  • Allows for customizations to be made to a reasonable extent to suit your project and use case.
  • Auth0 services are cost-effective and allow for a lot to be done on the free tier with options to upgrade and pay accordingly.

Conclusion

We talked about the concepts of Authentication and Authorization, how they differ from each other in terms of the role that each plays in our application, also, we looked at when to employ these concepts in our applications as well as a brief introduction to the Auth0 service which provides both Authentication and Authorization for you out of the box.

hashnodebootcampAuth0authenticationauthorizationHashnode