Introduction

Authentication and authorization

Authentication is the process of verifying who a user is and quite a many times a username and password are used. Server side application compares the entered username and password with a record it has on its database. If the submitted information matches, the server side assumes that user are a valid user and grants the access.

sequenceDiagram participant User participant Browser participant Backend User->>Browser: Login button is pressed Browser->>Backend: POST /api/login { username, password } Note left of Backend: backend signs token Backend->>Browser: token returned in body Note left of Browser: token stored in local storage/react state

Authorization is the process of verifying that user has rights to use some resources before actually resource is used. Usually some token or session are used to detect that user has successfully authenticated before.

sequenceDiagram participant User participant Browser participant Backend Note left of User: user creates some data User->>Browser: user send data (click) Browser->>Backend: POST /api/endpoint { data } token in header Note left of Backend: backend identifies user from token, resource used Backend->>Browser: response send back to browser, 201 created Note left of Browser: UI visualises data saved successfully

In short, access to a resource is protected by both authentication and authorization. If user can't prove his/her identity, user won't be allowed into a resource. For example in this course, node.js/express applications will use some authentication methods (token or sesson) to get user authenticated. And later, when some express endpoint are requested, node/express application checks that user is authorized to use/access spesified endpoint.

Here's a quick overview of the differences between authentication and authorization:

_{Image source: auth0.com}

Read More

• Google - Authentication and Authorization

Goals of this topic

Understand

• The basics of authentication and authorization